Hi, I've been experimenting with ELK for reporting Windows security events. Whilst I'm able to get the data into logstash using Winlogbeats over TLS, I've yet to visualize the activity of users on servers.
Using a Kibana search I can see that that the [message] field contains the field [Account Name:] however the windows event ID that shows the act of logging on and off etc. is not so clearly presented in Kibana.
Has anyone used ELK for monitoring Windows security events? If so would appreciate knowing what you do to ID the Windows Security events (user accounts).
Hi Paul, I have been working on an enhancement to Winlogbeat to make data like "Account Name" available as a field within the JSON event. Also Winlogbeat will report additional data like the "Task" contained in the event. This will make Winlogbeat a much more powerful tool. This is going to be released in v5, but a development build is available for testing (see #1053).
Hi Andrew, I must say that Beats rocks. Very simple to set-up and before looking at it I was trying to get my head around the Windows monitoring that your screen shot perfectly shows the functionality I'm seeking. So yes, cannot wait to get this. Thanks for the info.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.