Hacker News new | comments | show | ask | jobs | submit login
Monitoring for Windows Event Logs and the Untold Story of Proper ELK Integration (ubersec.com)
52 points by nreece 10 months ago | hide | past | web | favorite | 4 comments

SysMon is the next step after changing the default audit policy.


As of September 2017, v6.1 supports monitoring WMI subscribers.


Unfortunately I can no longer point to a canonical "best practices" configuration as the original has been neglected; however it may serve as a starting point: https://github.com/SwiftOnSecurity/sysmon-config

Using Logstash, is it possible to queue events in case the machine in question temporarily loses network connectivity?

Yes. Newer versions of Logstash have an on-disk queue that will store events that haven't been ACK'd by ElasticSearch.

On the other side, every Beat (or nearly every Beat) can write to a messaging product like Kafka. That allows you to get logs off your client in the face of failures in either Logstash or ElasticSearch.

It should be, Logstash is just a message router, and this is one of the router's fundamental functions. Certainly this is true for Fluentd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact