
Monitoring for Windows Event Logs and the Untold Story of Proper ELK Integration - nreece
http://www.ubersec.com/2017/12/03/monitoring-for-windows-event-logs-and-the-untold-story-of-proper-elk-integration/
======
j_s
SysMon is the next step after changing the default audit policy.

[https://github.com/MHaggis/sysmon-dfir](https://github.com/MHaggis/sysmon-
dfir)

As of September 2017, v6.1 supports monitoring WMI subscribers.

[https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-
wmi-...](https://rawsec.lu/blog/posts/2017/Sep/19/sysmon-v610-vs-wmi-
persistence/)

Unfortunately I can no longer point to a canonical "best practices"
configuration as the original has been neglected; however it may serve as a
starting point: [https://github.com/SwiftOnSecurity/sysmon-
config](https://github.com/SwiftOnSecurity/sysmon-config)

------
gm-conspiracy
Using Logstash, is it possible to queue events in case the machine in question
temporarily loses network connectivity?

~~~
coredog64
Yes. Newer versions of Logstash have an on-disk queue that will store events
that haven't been ACK'd by ElasticSearch.

On the other side, every Beat (or nearly every Beat) can write to a messaging
product like Kafka. That allows you to get logs off your client in the face of
failures in either Logstash or ElasticSearch.

