Winlogbeat - Logs for Windows 7/10 and X-pack


#1

Hi
Im in a little bit of hurry.
We are in a procurement process, handling the solution today 23.59.

The customer have the demand to monitor Windows OS logs and especially the Security logs.
I've been looking at Winlogbeat with Elastic Search and Kibana and it looks really good.
But I'm not sure of the infrastructure, can you please help me with that?
My guess its enough with one server with a lots of RAM and some CPU? Thinking of both cloud and on-prem.
And of course, what about support to Windows 10? It will be mostly Windows 7 in the beginning but around dec-jan they will be migrated to Windows 10.

And what about x-pack, do I really need that, what's the price?

5500 Windows 10 PCs, only shipping the Security log.
I'm guessing about 165 Gb data/day, storing 31 days > 4-5Tb of data.

Thanks!

//Henrik


(Jymit Singh Khondhu) #2

So, and estate of Winlogbeat agents on endpoints all pointing to a multinode Elasticsearch cluster and for insight into the data you have Kibana.
0. https://www.elastic.co/guide/en/beats/winlogbeat/current/configuration-winlogbeat-options.html

We always recommend testing such. That way you can get a base line for how well a single node cluster will cope with the number of shards versus the resources allocated.

What we have to go on thus far is winlogbeat-security-* aptly named daily indices, up to 200GB per day.
With a retention period of 31 days, 6.2TB

So say you want to resource performantly keep somewhere between 500-1TB of data per data node.

  1. https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-node.html

Lets say 1TB, which asked for 6-7 data nodes with 1TB of SSD disk plus 20% overhead. Being mindful of watermarks. We have not spoke about master nodes or sole ingest nodes.
2. https://www.elastic.co/guide/en/elasticsearch/reference/current/disk-allocator.html

Presuming this will be an index heavy cluster opposed to a search one. You will opt for indexing performant tuning.
3. https://www.elastic.co/guide/en/elasticsearch/reference/master/tune-for-indexing-speed.html

RAM 60+GB Whatever you feel comfortable with but as long as you set 50% to the Elasticsearch heap but no higher than 30GB!
4. https://www.elastic.co/guide/en/elasticsearch/reference/current/heap-size.html

You will want to consider how much enrichment you want to do to your events as they come in via winglogbeat and or logstash.
5. https://www.elastic.co/blog/elasticsearch-data-enrichment-with-logstash-a-few-security-examples

Windows server support.
6. https://www.elastic.co/support/matrix
7. https://www.elastic.co/support/matrix#matrix_os

What do you want to gain from X-Pack. I personally believe x-pack is cool, thus would recommend alerting, monitoring, security, and later on machine learning to do cool things find out a baseline for how many windows laptops you are collecting events from who's mac addresses were residing in one location on a given day the same day every week and send an alert when things start to look anomalous.
8. https://www.elastic.co/products/x-pack

Pricing here but also all the above is an insight to the depth of support you may get when you get a subscription with us :smile:
9. https://www.elastic.co/subscriptions


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.