# Add/Drop fields for searching within Kibanaįields: Winlogbeat.registry_file: evtx-registry.yml # Zachary Burnham 2019 | Winlogbeat Shipper Settings Once created, open it with your favorite text editor and add the following: # EVTX ELK Winlogbeat Configuration File | v1.0 For example, I will name it “ winlogbeat-evtx.yml” for the purpose of this post. Ignoring the default “winlogbeat.yml” file, create a new file within that same directory (should be the root of the Winlogbeat folder) and name it something that makes sense to you. You should now be all set to modify Winlogbeat.
Within this window, navigate to your Winlogbeat folder and run the following command. We want to upload the necessary Winlogbeat template to ELK for proper parsing. Once completed, save the file and then open a PowerShell window as Administrator on your host machine.
Example of winlogbeat.yml with pointing to Elasticsearch For Single-Node clusters, Elasticsearch resides on the same node as the rest of your ELK processes. Scroll down to the “ Outputs” section and modify the “ Hosts” option to resemble the IP of your Elasticsearch instance. Open “ winlogbeat.yml” within your favorite text editor. If you have already used Winlogbeat within your ELK cluster, feel free to leave “winlogbeat.yml” alone and skip these steps. If you have not previously used Winlogbeat within your ELK cluster before, please go ahead and perform the following steps. Within the extracted Winlogbeat folder, you should see a file labeled “ winlogbeat.yml” – this is the default configuration for the service. Once downloaded, extract the contents and place the resulting Winlogbeat folder wherever you see fit on your system. NOTE: For this guide, I used version 7.3.2. If not done so already, go to the following link to download the latest version of Winlogbeat. The setup required for this guide will involve replacing this file with a modified version, as well as utilizing a quick Windows Powershell script to invoke Winlogbeat manually, rather than as a service, using this new YML file. This program also typically runs as a service on the host machine, operating in the background as it grabs EVTX data upon creation. Winlogbeat operates off of the default configuration file “ winlogbeat.yml” for all settings and configurations. For digital forensic investigators, this data is often never hot, but rather cold – collected from images obtained of the systems locked at a specific point in time. This allows for live monitoring of systems based on recorded events that happen in real-time. Winlogbeat is the data shipper created by Elastic used to send “hot,” or live EVTX files to an ELK stack as they happen. My hope is that the information here may help guide you through this process and make it easier to implement within your own environment for you own purposes. As a result, a “plug-and-play” method of just copying these files and executing the process may not work as intended, whether it be due to my goals in this project or future Winlogbeat updates. The following guide will be based on a Single-Node ELK stack, running Ubuntu 19, that does not utilize Logstash.ĭISCLAIMER: These files were created and modified for the purpose of this post. Windows Host Machine to send EVTX log files from.Single-Node or Multi-Node are both acceptable.A functioning ELK stack (Logstash NOT required).This post goes over a possible way to engage in this process. This opens the door to using ELK as a post-incident investigative tool for DFIR analysts, rather than just for live analysis. This functionality allows an analyst to take EVTX files from images of systems collected and utilize the functionality of the ELK stack for their investigations – bypassing the typical use for ELK pertaining to live data monitoring. While the ELK cluster is typically used for live monitoring, Winlogbeat can be tweaked to manually send “cold logs,” or old, inactive Windows Event Logs (EVTX) to ELK manually.
0 kommentar(er)
