I am assisting in data gathering for an upcoming audit and I am trying to use Kibana to search for 'Evidence of admin activity being logged' but I cannot seem to grasp the needed search parameters.
I am also searching through docs.chaossearch.io in hopes of finding documentation myself but I have not found anything useful yet. Any guidance or help would be much appreciated.
In addition, if you have audit logging enabled in your stack (Kibana and ES at the least), you can prepare some kind of dashboard for some specific users.
Thank you for the prompt reply. So my background is we are using Armor to host servers for our customer and Armor uses ChaosSearch Analytics as a way for us to search our ingested logs. Thank you for clarifying that Chaossearch is not an Elastic tool, I'm fairly new to this so I'm still learning everything and I could be looking for help in the wrong place.
I believe that my overall issue is that I just do not seem to know how to search our ingested logs to find the logs related to "Administrative Activity" on Windows Servers. I have a list of Domain Admin usernames for this customer so my next thought is to generate activity via one of these accounts and then search through our logs for the specific admin account.
This is part of my issue as well. Armor provides a Log Search Field Glossary and a link to the ECS Field Reference so I have been trying to search through our logs using these search fields but it is also possible that my issue could lay with how Armor parses the ingested logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.