Analysis logs for security events

(Kennedy Kan) #1

I am new to winlogbeat. How can I analyse Windows Event (espacially in Security , e.g. AD Login, Logout error) with winlogbeat and visualize it?

(Andrew Kroh) #2

I recommend following our Getting Started guide and using Winlogbeat 5.0.0-alpha1 because it has some new features over 1.X that are very useful.

When you install Winlogbeat with the default config, it will ship all events from the Security log to Elasticsearch. You can then build some custom searches and dashboards in Kibana to visualize the specific event IDs for logon events. Some of the more important event IDs are:

  • Account Lockouts - 4740
  • User Added to Privileged Group - 4728, 4732, 4756
  • Security-Enabled group Modification - 4735
  • Successful User Account Login - 4624
  • Failed User Account Login - 4625
  • Account Login with Explicit Credentials - 4648

Remote desktop logins can be searched by looking within the login events for an event_data.LoginType: 10 where 10 is the login type for remote interactive logons.

Visualization/Query example: Reporting Windows Security Events in Kibana

(Kennedy Kan) #3

I have seen the query example from Reporting Windows Security Events in Kibana but still quite couldn't understand how to do it.

Instead, I have installed the beats-input plugin and filter-translate plugin as to create the beats-input.conf. Here is the .conf file.

input {
beats {
port => 5044
filter {
translate {
field => "status_code"
destination => "description"
dictionary_path => ["C:/logstash/dictionary.yaml"]
output {
elasticsearch {
hosts => "localhost:9200"
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"

where the dictionary.yaml stores data referenced from

For example:

"512": Windows NT is starting up
"513": Windows is shutting down
"514": An authentication package has been loaded by the Local Security Authority
"515": A trusted logon process has registered with the Local Security Authority
"516": Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits
"517": The audit log was cleared

But it seems that there is no any results (logs) received as seen from the kibana. However, when between I stop and start winlogbeat again, new log files are created as seen from ProgramData File.

I have found that when I start winlogbeat with elasticsearch as output then the logs can be displayed in kibana while it cant when start with logstash as output.

(Andrew Kroh) #4

To get started I would output directly to Elasticsearch without the use of Logstash. And then only add Logstash into the loop if it is required. For your original use case I don't think Logstash or the translate filter are required.

What version of Winlogbeat have you installed? What operating system are you using?

Once you have data from Winlogbeat version 5 ingested into Elasticsearch, refresh your Kibana mappings for the winlogbeat-* index pattern to ensure that all of the fields are present. Then try exploring your data with the Discover tab.

Please review the reference documentation for the fields exported by Winlogbeat v5. You'll notice that the status_code you are trying to use with logstash does not exist. The event ID is contained in event_id.

(Kennedy Kan) #6

Thanks, really appreciates your great help.
Just one more to know. Is there anyway I could export the data/fields into an excel file.

Thanks. Here is my screen capture of kibana.

(Andrew Kroh) #7

The reason I was suggesting you try Winlogbeat 5.0.0-alpha1 is because of It provides more detailed information from the events.

Check out this thread regarding Kibana export: How to make a table like Excel sheet with Kibana?

(paul) #8

Hi Andrew, for Win security events would you recommend configuring the client winlogbeat to Elasticsearch instead of Logstash?

(Andrew Kroh) #9

Going straight into Elasticsearch is a simpler setup. I would recommend it if the only thing Logstash is doing with the data is forwarding it to Elasticsearch.

(paul) #10

Thanks Andrew, is this as simple as configuring the winlogbeat.yml on the node to send to Elasticsearch or is there more configuration on the stack too?

Having just tried I get >

2016/05/12 10:54:32.018180 client.go:457: DBG Ping request failed with: Head es:9200: dial
tcp connectex: No connection could be made because the target machine actively refused it.

(Andrew Kroh) #11

Yes, it's simple. Just make sure the index template is installed and configure the elasticsearch output in your configuration file for Winlogbeat.

That error is usually a firewall problem. It could be on the Winlogbeat machine, the network in between, or on the Elasticsearch server.

You should be able to make a web request from the Winlogbeat box to Elasticsearch.

PS C:\Users\vagrant> (Invoke-WebRequest -Method Head -Uri http://elasticsearch:9200).statuscode

(system) #12

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.