An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!
Enjoy!
I would recommemd setting up greylog. It's pipelines are really mighty and not that hard to learn. You can run it in a VM.
If you really want to you can run filebeat on windows with a file output, so it will write everything in json format to a file. However you will still have to parse ot, make it searchable etc.
Yeah I’m familiar with filebeats and the ELK stack, set one of those up a long while ago to ingest Twitter from api before all that blew out a left kneecap haha.
I’ll check it out as well!
For the elk stack you can replace Logstash and Filebeat with Fluentbit and feed it directly to Elastic Search than use Kibana. I've found Logstash to be the resource hog and Fluentbit just runs a lot better imo.
Some docs:
https://docs.fluentbit.io/manual/pipeline/inputs/syslog
https://docs.fluentbit.io/manual/pipeline/outputs/elasticsearch
EDIT: All three of them can also be run in a docker or several depending on your needs and how you configure.
Sweeet, thank you!
Your choices are
Both use code from rsyslog, listen on 514 (configurable) and do logging. I think they'll even take mqtt and json-format stuff, but I wasn't needing that yet so I didn't care
Full disclosure: I first started looking into this at my last post, a mere 600 boxes for windows, which I don't do and didn't care about except some log guy was a splunk fanboy dick and I punked him as often as I could because splunk's absolute inability to cope pissed me off and thus he did by association -- thus the mqtt angle as I tried to push that transport idea through because splunk has no clue anymore and can't cope with mqtt and I liked to see his brain reboot. I'm a Linux/Unix guy so I mainly quote on things that will bring the oddballs into line. My new spot has like 3600 winboxes and I just heard that group's choice for shipping logs to the central log correlation is ...
... Nxlog.
Grain of salt, but good luck.
Yeah so rsyslog is one of those premium products. Seems like I can only practically receive without paying for fuckin parsing capabilities (ew)
But I’ll definitely check out the other! Appreciate it!
I don't know if an open source solution for windows, but I know of a really cool IDS solution that does syslog. It's going to be overkill, and there's a learning curve, but it's worth it if you're into this stuff.
Check out Security Onion 2.4
It's Linux, but the install is kindergarten easy. Just download ISO, pick standalone mode.
It has a web interface. The database is actually elastic search.
If you take the time to play with this thing, it will skill you up. It's a fully scalable IDS.
Interesting! It rings a bell for sure, and I could really just access the web interface from the windows box as a work around for the soln implementation i'm targetting. Thank you!
You might be better off using docker to run a Linux based logging system like rsyslogd or loki. Plenty of tutorials out there.
Just setup wazuh.
What’s that? How come you prefer that to other solutions? Sorry for the delayed response
Its an open source SIEM with XDR and many rules for free. Its the son of ossec