Elastic stack with X-Pack to replace GFI EventsManager


#1

Hello *,

I'm currently investigating, if we can replace "GFI EventsManager" with an Elastic stack.
The GFI EM is not actively developed anymore and the latest version is from 2013.

In our project we're switching to Windows 10 soon and if possible, I'd like to give the recommendation to get rid of GFI EM and replace it with Elasticsearch + Kibana + X-Pack. I've played around privately with Elastic stacks for roughly a year now, and while it suits the needs I had at home, for the project it may be a different story.

There is a very specific security requirement that needs to be met (for which we used GFI EM) and it outgrows what I've done with the Elastic stacks before.

tl;dr
Is it possible to fulfill the following needs with an Elastic stack + X-Pack?

(1) Monitor Windows logs for specific security violations and check the number of violations against each user over a certain timespan, e.g. 2 months (I know the first part is possible, but is the second part possible as well, when combined with point (2))?
(2) After a certain number of violations, a warning shall be sent to the user (not via E-Mail, the system is not connected to the Internet or an Intranet, we'd use msg.exe) and after an additional number of violations, the user account shall be locked out (that means running e.g. a PowerShell script).
(3) Backup and archive the gathered logs in a CSV file every Sunday (I know a CSV export is now possible in Kibana, but can it be automatically downloaded, i.e. not doing it via the web interface)?

I don't need detailed explanations for the three points (although, don't hold back with tips if you want :slight_smile:), but if someone tells me that one of the points is not feasible with an Elastic stack + X-Pack, it would save me a lot of time and I can avoid a dead end.

Thanks in advance and best regards!


(Alexander Reelsen) #2

Hey,

first, I have no idea what the GFI EventsManager is, I can only comment about the Elastic Stack side of things.

  1. you can monitor windows logs using the winlogbeat, which send can sent logs over to ES or logstash. You can checks the number of violations in a certain timebucket using a search for your time range and an aggregation on your user names (also you may want to add some info if the user has already been warned).
  2. X-Pack Alerting allows you to create an alert based on the data indexed. But in this case, you would need another component that is doing the msg.exe thing. You can use alerting to send a HTTP message to this component, which then takes care of the msg.exe call. You could use a http logstash input, and the exec output to execute msg.exe See https://www.elastic.co/guide/en/logstash/6.1/plugins-outputs-exec.html
  3. This could be done via logstash and the csv output plugin as well.

hope this helps.

--Alex


#3

Hi,

Thanks for the fast answer!
So what you're basically telling me is, that all of my needs can be met with an appropriate setup of an Elastic stack! :+1:
For now, that's all I need to know.
I will come back if I have questions on the specific topics, though! :blush:

So stay tuned!

Best regards!


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.