MBCDN

Dies ist eine alte Version des Dokuments!

Winlogbeat ist ein Tool um Windows Eventlogs aufzubereiten und in einen Elasticsearchbzw. Opensearch Index zu speichern. Das Tool erstellt den Index von selbst.

# jq
curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source | "\(.agent.name)"'
# jq
curl -X GET "https://172.21.0.134:9200/winlogbeat-8.17.4/_search" -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure -H 'Content-Type: application/json' -d '{"query": { "wildcard": { "winlog.event_data.TargetUserName": "SYS*"}}}' | jq -r '.hits.hits[]._source["@timestamp"]'
 
# Liste alle Agents
curl -X GET "https://localhost:9200/winlogbeat-*/_search" -H "Content-Type: application/json" -d '{ "size":0, "aggs":{ "unique_hosts":{ "terms":{ "field": "host.name", "size":10000}}}}' -u "elastic:fw5XeLo_I0X470yF_XQL" --insecure

Im Installationsordner von Winlogbeat findet sich ein ps1 Script.

.\install-service-winlogbeat.ps1

# Diese Konfiguration speichert die Logs aller Server im selben Index
winlogbeat.event_logs:

  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    envent_id: 4800, 4801 # nur diese event ids
    event_id: -1000,-1000-2000 # Mit minus davor IDs ausschliessen
    
  - name: Microsoft-Windows-Sysmon/Operational

  - name: Windows PowerShell
    event_id: 400, 403, 600, 800

  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

  - name: ForwardedEvents
    tags: [forwarded]
    
  - name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
    level: critical, error, warning
    language: 0x0409 # en-US
    processors:
      - drop_event.when.not.or:
      - equals.winlog.event_id: 903
      - equals.winlog.event_id: 1024
      - equals.winlog.event_id: 4624
    tags: ["web"]
    include_xml: true
    provider: # (Get-WinEvent -ListLog Security).ProviderNames
      - Application Error
      - Application Hang
      - Windows Error Reporting
      - EMET
 

  - id: dhcp-server-logs
    xml_query: >
      <QueryList>
        <Query Id="0" Path="DhcpAdminEvents">
          <Select Path="DhcpAdminEvents">*</Select>
          <Select Path="Microsoft-Windows-Dhcp-Server/FilterNotifications">*</Select>
          <Select Path="Microsoft-Windows-Dhcp-Server/Operational">*</Select>
        </Query>
      </QueryList>

# ====================== Elasticsearch template settings =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
 
 
# ================================== Outputs ===================================
 
# Configure what output to use when sending the data collected by the beat.
 
# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
 
  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
 
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "*y_mEkRRJHEBLK7ird=*"
 
  # Pipeline to route events to security, sysmon, or powershell pipelines.
  pipeline: "winlogbeat-%{[agent.version]}-routing"
 
 
# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~

Windows Deployment

#$servers = Get-ADComputer -Filter * | Where-Object { $_.Name -like "*-SRV-AUDIT*" } | Select-Object -ExpandProperty Name
 
$servers = @(
    "vie-srv-fs03",
    "vie-srv-fs04"
)
 
foreach ($server in $servers) {
 
    # If the service is running, stop it so we can overwrite files
    $status = (Get-Service Winlogbeat -ComputerName $server).Status
    if($status -like "running") {
        Write-Host "[info] Winlogbeat is running on $server - stopping service"
        $r = (Get-Service Winlogbeat -ComputerName $server).Stop()
    } else {
        Write-Host "[info] Winlogbeat is NOT running on $server"
    }
 
 
 
    Invoke-Command -ComputerName $server -ErrorAction Continue -ScriptBlock {
 
        # Copy new files
        $source = "\\fileserver\public\gbi\infrastruktur\software\winlogbeat\*"
        $destination = "C:\Program Files\Winlogbeat\"
        $xcopyArgs = "`"$source`" `"$destination`" /y /s /e"
        Start-Process -FilePath "xcopy.exe" -ArgumentList $xcopyArgs -NoNewWindow -Wait
 
        $scriptPath = "C:\Program Files\Winlogbeat\install-service-winlogbeat.ps1"
 
        if (Test-Path $scriptPath) {
 
            # Execute install script
            powershell.exe -ExecutionPolicy Bypass -File $scriptPath
            # Start service
            Start-Service winlogbeat
            # Set startup type to automatic
            Set-Service winlogbeat -StartUpType Auto
            # Check status
 
        } else {
 
            Write-Host "[error] Install script not found: $scriptPath"
 
        }
 
        $status = (Get-Service winlogbeat).Status
        Write-Output "[info] Status after install: $status"
 
    }
 
}