Winlogbeat ist ein Tool um [[Windows]] Eventlogs aufzubereiten und in einen [[Elasticsearch]]bzw. [[Opensearch]] Index zu speichern. Das Tool erstellt den Index von selbst.
# jq
curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source | "\(.agent.name)"'
# jq
curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source["@timestamp"]'
# Liste alle Agents
curl -X GET "https://localhost:9200/winlogbeat-*/_search" -H "Content-Type: application/json" -d '{ "size":0, "aggs":{ "unique_hosts":{ "terms":{ "field": "host.name", "size":10000}}}}' -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure
Damit Winlogbeat auf den Security Log zugreifen kann muss Winlogbeat als Admin gestartet sein! Außerdem wird **alles in UTC** geloggt (von Windows)!
=====Installation=====
Im Installationsordner von Winlogbeat findet sich ein ps1 Script.
.\install-service-winlogbeat.ps1
# Diese Konfiguration speichert die Logs aller Server im selben Index
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
envent_id: 4800, 4801 # nur diese event ids
event_id: -1000,-1000-2000 # Mit minus davor IDs ausschliessen
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
level: critical, error, warning
language: 0x0409 # en-US
processors:
- drop_event.when.not.or:
- equals.winlog.event_id: 903
- equals.winlog.event_id: 1024
- equals.winlog.event_id: 4624
tags: ["web"]
include_xml: true
provider: # (Get-WinEvent -ListLog Security).ProviderNames
- Application Error
- Application Hang
- Windows Error Reporting
- EMET
- id: dhcp-server-logs
xml_query: >
# ====================== Elasticsearch template settings =======================
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== Outputs ===================================
# Configure what output to use when sending the data collected by the beat.
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["localhost:9200"]
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "*y_mEkRRJHEBLK7ird=*"
# Pipeline to route events to security, sysmon, or powershell pipelines.
pipeline: "winlogbeat-%{[agent.version]}-routing"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
=====Windows Deployment=====
Not good
#$servers = Get-ADComputer -Filter * | Where-Object { $_.Name -like "*-SRV-AUDIT*" } | Select-Object -ExpandProperty Name
$servers = @(
"vie-srv-fs03",
"vie-srv-fs04"
)
foreach ($server in $servers) {
# If the service is running, stop it so we can overwrite files
$status = (Get-Service Winlogbeat -ComputerName $server).Status
if($status -like "running") {
Write-Host "[info] Winlogbeat is running on $server - stopping service"
$r = (Get-Service Winlogbeat -ComputerName $server).Stop()
} else {
Write-Host "[info] Winlogbeat is NOT running on $server"
}
Invoke-Command -ComputerName $server -ErrorAction Continue -ScriptBlock {
# Copy new files
$source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
$destination = "C:\Program Files\Winlogbeat\"
$xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
$scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
if (Test-Path $scriptPath) {
# Execute install script
powershell.exe -ExecutionPolicy Bypass -File $scriptPath
# Start service
Start-Service winlogbeat
# Set startup type to automatic
Set-Service winlogbeat -StartUpType Auto
# Check status
} else {
Write-Host "[error] Install script not found: $scriptPath"
}
$status = (Get-Service winlogbeat).Status
Write-Output "[info] Status after install: $status"
}
}
Good
#
# Last run stopped at vie-srv-admin01 (not finished)
#
<#
$servers = Get-ADComputer -Filter * -Properties * | Where-Object {
$_.Name -like "*-SRV-*"
-and $_.OperatingSystem -like "Windows*"
-and $_.DistinguishedName -notlike "*Löschen*"
} | Select-Object -ExpandProperty Name
#>
$servers = @(
"vie-srv-sign01"
)
$logfile = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_log.txt"
$online = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_online.txt"
$offline = "c:\users\manuel.zarat\desktop\winlogbeat_deployment_servers_offline.txt"
#$servers = @("vie-t-srv-audit")
foreach ($server in $servers) {
# If the service is running, stop it so we can overwrite files
$status = (Get-Service -Name Winlogbeat -ComputerName $server).Status
if($status -like "running") {
Write-Output "[info] Winlogbeat is running on $server"
$r = (Get-Service Winlogbeat -ComputerName $server).Stop()
Write-Output "[info] Winlogbeat service stopped successfully"
} else {
Write-Output "[info] Winlogbeat is NOT running on $server"
}
$session = New-PSSession -ComputerName $server
Copy-Item -Path "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*" -Destination "C:\Program files\Winlogbeat" -ToSession $session -Recurse -Force
try {
Invoke-Command -ComputerName $server -ErrorAction Stop -ScriptBlock {
Param($srv)
#whoami
# Copy new files
<#
Write-Output "[info] Copying new files.."
$source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
$destination = "C:\Program Files\Winlogbeat\"
$xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
$output = cmd /c "xcopy `"$source`" `"$destination`" /y /s /e"
#Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
Write-Output "[info] Files successfully copied"
#>
$scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
if (Test-Path $scriptPath) {
# Execute install script
powershell.exe -ExecutionPolicy Bypass -File $scriptPath
# Start service
Start-Service winlogbeat
# Set startup type to automatic
Set-Service winlogbeat -StartUpType Auto
# Check status
Write-Output "[info] Install script executed"
} else {
Write-Output "[error] Install script not found: $scriptPath"
}
$status = (Get-Service winlogbeat).Status
Write-Output "[info] Status after install: $status"
#Write-Output "[info] Remotely connected to $srv "
} -ArgumentList $server
#$stat >> $online
} catch {
$connection = Test-Connection -ComputerName $server -Count 1 -Quiet
# Wenn der Server nicht erreichbar ist, schreibe es ins Log
if (-not $connection) {
Write-Output "[info] Could NOT connect remotely to $server" >> $offline
} else {
Write-Output "[info] Could NOT connect remotely to $server but its reachable by ping" >> $offline
}
}
}