MBCDN

Benutzer-Werkzeuge

Webseiten-Werkzeuge

Zuletzt angesehen: cmake json opensearch
winlogbeat

Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

Link zu dieser Vergleichsansicht

Nächste Überarbeitung 		Vorhergehende Überarbeitung
winlogbeat [2025/03/25 22:55]
jango angelegt 		winlogbeat [2025/04/16 11:34] (aktuell)
jango
Zeile 1: Zeile 1:
-Winlogbeat ist ein Tool um [[Windows]] Eventlogs aufzubereiten und in einen [[Elasticsearch]]bzw. [[Opensearch]]  Index zu speichern.+Winlogbeat ist ein Tool um [[Windows]] Eventlogs aufzubereiten und in einen [[Elasticsearch]]bzw. [[Opensearch]]  Index zu speichern. Das Tool erstellt den Index von selbst. 
 + 
 +<code bash> 
 +# jq 
 +curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source | "\(.agent.name)"' 
 +# jq 
 +curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source["@timestamp"]' 
 + 
 +# Liste alle Agents 
 +curl -X GET "https://localhost:9200/winlogbeat-*/_search" -H "Content-Type: application/json" -d '{ "size":0, "aggs":{ "unique_hosts":{ "terms":{ "field": "host.name", "size":10000}}}}' -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure 
 +</code> 
 + 
 +<box red>Damit Winlogbeat auf den Security Log zugreifen kann muss Winlogbeat als Admin gestartet sein! Außerdem wird **alles in UTC** geloggt (von Windows)!</box> 
 + 
 +=====Installation===== 
 + 
 +Im Installationsordner von Winlogbeat findet sich ein ps1 Script. 
 +<code> 
 +.\install-service-winlogbeat.ps1 
 +</code>
  
 <code yaml> <code yaml>
 +# Diese Konfiguration speichert die Logs aller Server im selben Index
 winlogbeat.event_logs: winlogbeat.event_logs:
 +
   - name: Application   - name: Application
     ignore_older: 72h     ignore_older: 72h
Zeile 9: Zeile 30:
  
   - name: Security   - name: Security
-    envent_id: 4800, 4801+    envent_id: 4800, 4801 # nur diese event ids 
 +    event_id: -1000,-1000-2000 # Mit minus davor IDs ausschliessen 
 +    
   - name: Microsoft-Windows-Sysmon/Operational   - name: Microsoft-Windows-Sysmon/Operational
  
Zeile 20: Zeile 43:
   - name: ForwardedEvents   - name: ForwardedEvents
     tags: [forwarded]     tags: [forwarded]
 +    
 +  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
 +    level: critical, error, warning
 +    language: 0x0409 # en-US
 +    processors:
 +      - drop_event.when.not.or:
 +      - equals.winlog.event_id: 903
 +      - equals.winlog.event_id: 1024
 +      - equals.winlog.event_id: 4624
 +    tags: ["web"]
 +    include_xml: true
 +    provider: # (Get-WinEvent -ListLog Security).ProviderNames
 +      - Application Error
 +      - Application Hang
 +      - Windows Error Reporting
 +      - EMET
 +
 +
 +  - id: dhcp-server-logs
 +    xml_query: >
 +      <QueryList>
 +        <Query Id="0" Path="DhcpAdminEvents">
 +          <Select Path="DhcpAdminEvents">*</Select>
 +          <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
 +          <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
 +        </Query>
 +      </QueryList>
  
 # ====================== Elasticsearch template settings ======================= # ====================== Elasticsearch template settings =======================
Zeile 55: Zeile 105:
       when.not.contains.tags: forwarded       when.not.contains.tags: forwarded
   - add_cloud_metadata: ~   - add_cloud_metadata: ~
 +</code>
 +
 +=====Windows Deployment=====
 +
 +Not good
 +<code powershell>
 +#$servers = Get-ADComputer -Filter * | Where-Object { $_.Name -like "*-SRV-AUDIT*" } | Select-Object -ExpandProperty Name
 +
 +$servers = @(
 +    "vie-srv-fs03",
 +    "vie-srv-fs04"
 +)
 +
 +foreach ($server in $servers) {
 +
 +    # If the service is running, stop it so we can overwrite files
 +    $status = (Get-Service Winlogbeat -ComputerName $server).Status
 +    if($status -like "running") {
 +        Write-Host "[info] Winlogbeat is running on $server - stopping service"
 +        $r = (Get-Service Winlogbeat -ComputerName $server).Stop()
 +    } else {
 +        Write-Host "[info] Winlogbeat is NOT running on $server"
 +    }
 +
 +    
 +
 +    Invoke-Command -ComputerName $server -ErrorAction Continue -ScriptBlock {
 +        
 +        # Copy new files
 +        $source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
 +        $destination = "C:\Program Files\Winlogbeat\"
 +        $xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
 +        Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
 +        
 +        $scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
 +        
 +        if (Test-Path $scriptPath) {
 +            
 +            # Execute install script
 +            powershell.exe -ExecutionPolicy Bypass -File $scriptPath
 +            # Start service
 +            Start-Service winlogbeat
 +            # Set startup type to automatic
 +            Set-Service winlogbeat -StartUpType Auto
 +            # Check status
 +
 +        } else {
 +
 +            Write-Host "[error] Install script not found: $scriptPath"
 +
 +        }
 +
 +        $status = (Get-Service winlogbeat).Status
 +        Write-Output "[info] Status after install: $status"
 +
 +    }
 +
 +}
 +</code>
 +
 +Good
 +<code powershell>
 +#
 +# Last run stopped at vie-srv-admin01 (not finished)
 +#
 +
 +<#
 +$servers = Get-ADComputer -Filter * -Properties * | Where-Object { 
 +    $_.Name -like "*-SRV-*" 
 +    -and $_.OperatingSystem -like "Windows*" 
 +    -and $_.DistinguishedName -notlike "*Löschen*" 
 +} | Select-Object -ExpandProperty Name
 +#>
 +
 +$servers = @(
 +    "vie-srv-sign01"
 +)
 +
 +$logfile = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_log.txt"
 +$online = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_online.txt"
 +$offline = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_offline.txt"
 +
 +#$servers = @("vie-t-srv-audit")
 +
 +foreach ($server in $servers) {
 +
 +    # If the service is running, stop it so we can overwrite files
 +    
 +    $status = (Get-Service -Name Winlogbeat -ComputerName $server).Status
 +    if($status -like "running") {
 +        Write-Output "[info] Winlogbeat is running on $server" 
 +        $r = (Get-Service Winlogbeat -ComputerName $server).Stop()   
 +        Write-Output "[info] Winlogbeat service stopped successfully"  
 +    } else {
 +        Write-Output "[info] Winlogbeat is NOT running on $server" 
 +    }
 +    
 +
 +    $session = New-PSSession -ComputerName $server
 +    Copy-Item -Path "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*" -Destination "C:\Program files\Winlogbeat" -ToSession $session -Recurse -Force
 + 
 +    try {
 +
 +        Invoke-Command -ComputerName $server -ErrorAction Stop -ScriptBlock {
 +        
 +            Param($srv)
 +
 +            #whoami
 +
 +            # Copy new files
 +            <#
 +            Write-Output "[info] Copying new files.."
 +            $source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
 +            $destination = "C:\Program Files\Winlogbeat\"
 +            $xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
 +            
 +            $output = cmd /c "xcopy `"$source`" `"$destination`" /y /s /e"
 +            #Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
 +            
 +            Write-Output "[info] Files successfully copied" 
 +            #>
 +
 +            $scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
 + 
 +            if (Test-Path $scriptPath) {
 + 
 +                # Execute install script
 +                powershell.exe -ExecutionPolicy Bypass -File $scriptPath
 +                # Start service
 +                Start-Service winlogbeat
 +                # Set startup type to automatic
 +                Set-Service winlogbeat -StartUpType Auto
 +                # Check status
 +                Write-Output "[info] Install script executed" 
 + 
 +            } else {
 + 
 +                Write-Output "[error] Install script not found: $scriptPath" 
 + 
 +            }
 +        
 + 
 +            $status = (Get-Service winlogbeat).Status
 +            Write-Output "[info] Status after install: $status" 
 +
 +            #Write-Output "[info] Remotely connected to $srv "
 +
 +        } -ArgumentList $server
 +
 +        #$stat >> $online
 +
 +    
 +    } catch {
 +        
 +        $connection = Test-Connection -ComputerName $server -Count 1 -Quiet
 +
 +        # Wenn der Server nicht erreichbar ist, schreibe es ins Log
 +        if (-not $connection) {
 +            Write-Output "[info] Could NOT connect remotely to $server" >> $offline
 +        } else {
 +            Write-Output "[info] Could NOT connect remotely to $server but its reachable by ping" >> $offline
 +        }
 +
 +    }
 +    
 +}
 </code> </code>
winlogbeat.1742939736.txt.gz · Zuletzt geändert: 2025/03/25 22:55 von jango

Seiten-Werkzeuge

Falls nicht anders bezeichnet, ist der Inhalt dieses Wikis unter der folgenden Lizenz veröffentlicht: CC Attribution-NoDerivatives 4.0 International
CC Attribution-NoDerivatives 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki