Reporting Windows Security Events in Kibana


(paul) #1

Hi, I've been experimenting with ELK for reporting Windows security events. Whilst I'm able to get the data into logstash using Winlogbeats over TLS, I've yet to visualize the activity of users on servers.

These are the events https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx

Using a Kibana search I can see that that the [message] field contains the field [Account Name:] however the windows event ID that shows the act of logging on and off etc. is not so clearly presented in Kibana.

Has anyone used ELK for monitoring Windows security events? If so would appreciate knowing what you do to ID the Windows Security events (user accounts).

Thank you


Analysis logs for security events
Analysis logs for security events
(Tanya Bragin) #2

I moved this post to Winlogbeat, because I think you'll get a faster answer here on the topic of the data Winlogbeat exposes.


(Andrew Kroh) #3

Hi Paul, I have been working on an enhancement to Winlogbeat to make data like "Account Name" available as a field within the JSON event. Also Winlogbeat will report additional data like the "Task" contained in the event. This will make Winlogbeat a much more powerful tool. This is going to be released in v5, but a development build is available for testing (see #1053).

Here's a screen shot:


Winlogbeat and User sessions (parsing fields from message)
(paul) #4

Hi Andrew, I must say that Beats rocks. Very simple to set-up and before looking at it I was trying to get my head around the Windows monitoring that your screen shot perfectly shows the functionality I'm seeking. So yes, cannot wait to get this. Thanks for the info.


(Andrew Kroh) #5