Hello,
I try to use Graylog, nxlog and sysmon to check Windows’logs.
For the moment I have log like that:
full_message
<13>May 15 15:00:52 rdp-arethusa.home {“EventTime”: “2019-05-15 15:00:49”,“Hostname”:“RDP-ARETHUSA.arethusa.local”,“Keywords”:-9223372036854775808,“EventType”:“INFO”,“SeverityValue”:2,“Severity”:“INFO”,“EventID”:3,“SourceName”:“Microsoft-Windows-Sysmon”,“ProviderGuid”:"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",“Version”:5,“Task”:3,“OpcodeValue”:0,“RecordNumber”:5069,“ProcessID”:6044,“ThreadID”:6112,“Channel”:“Microsoft-Windows-Sysmon/Operational”,“Domain”:“AUTORITE NT”,“AccountName”:“Syst�me”,“UserID”:“S-1-5-18”,“AccountType”:“User”,“Message”:“Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-15 13:00:47.598\r\nProcessGuid: {ED3958D4-C7CB-5CDB-0000-001086AE1200}\r\nProcessId: 5504\r\nImage: C:\Program Files\Mozilla Firefox\firefox.exe\r\nUser: ARETHUSA\Administrateur\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.1.209\r\nSourceHostname: RDP-ARETHUSA.arethusa.local\r\nSourcePort: 60460\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 192.168.1.206\r\nDestinationHostname: \r\nDestinationPort: 9000\r\nDestinationPortName: “,“Category”:“Network connection detected (rule: NetworkConnect)”,“Opcode”:“Informations”,“UtcTime”:“2019-05-15 13:00:47.598”,“ProcessGuid”:”{ED3958D4-C7CB-5CDB-0000-001086AE1200}”,“Image”:“C:\Program Files\Mozilla Firefox\firefox.exe”,“User”:“ARETHUSA\Administrateur”,“Protocol”:“tcp”,“Initiated”:“true”,“SourceIsIpv6”:“false”,“SourceIp”:“192.168.1.209”,“SourceHostname”:“RDP-ARETHUSA.arethusa.local”,“SourcePort”:“60460”,“DestinationIsIpv6”:“false”,“DestinationIp”:“192.168.1.206”,“DestinationPort”:“9000”,“EventReceivedTime”:“2019-05-15 15:00:51”,“SourceModuleName”:“in”,“SourceModuleType”:“im_msvistalog”}#015
I try to follow this link: https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog
But can’t split true information to have:
…
User :ARETHUSA
Protocol :“tcp”,
SourcePort ”:“60460”
DestinationPort ”:“9000”
…
When they say " Create the following pipeline rules in System > Pipelines > Manage rules as new rules." , we have lot of line, you know if I have to add it on ONE rule, or each part of this file by distincts rules ?
If you have other ideas on suggestion…
Thank you.