Graylog + nxlog + sysmon

#1

Hello,

I try to use Graylog, nxlog and sysmon to check Windows’logs.

For the moment I have log like that:

full_message

<13>May 15 15:00:52 rdp-arethusa.home {“EventTime”: “2019-05-15 15:00:49”,“Hostname”:“RDP-ARETHUSA.arethusa.local”,“Keywords”:-9223372036854775808,“EventType”:“INFO”,“SeverityValue”:2,“Severity”:“INFO”,“EventID”:3,“SourceName”:“Microsoft-Windows-Sysmon”,“ProviderGuid”:"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",“Version”:5,“Task”:3,“OpcodeValue”:0,“RecordNumber”:5069,“ProcessID”:6044,“ThreadID”:6112,“Channel”:“Microsoft-Windows-Sysmon/Operational”,“Domain”:“AUTORITE NT”,“AccountName”:“Syst�me”,“UserID”:“S-1-5-18”,“AccountType”:“User”,“Message”:“Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-15 13:00:47.598\r\nProcessGuid: {ED3958D4-C7CB-5CDB-0000-001086AE1200}\r\nProcessId: 5504\r\nImage: C:\Program Files\Mozilla Firefox\firefox.exe\r\nUser: ARETHUSA\Administrateur\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.1.209\r\nSourceHostname: RDP-ARETHUSA.arethusa.local\r\nSourcePort: 60460\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 192.168.1.206\r\nDestinationHostname: \r\nDestinationPort: 9000\r\nDestinationPortName: “,“Category”:“Network connection detected (rule: NetworkConnect)”,“Opcode”:“Informations”,“UtcTime”:“2019-05-15 13:00:47.598”,“ProcessGuid”:”{ED3958D4-C7CB-5CDB-0000-001086AE1200}”,“Image”:“C:\Program Files\Mozilla Firefox\firefox.exe”,“User”:“ARETHUSA\Administrateur”,“Protocol”:“tcp”,“Initiated”:“true”,“SourceIsIpv6”:“false”,“SourceIp”:“192.168.1.209”,“SourceHostname”:“RDP-ARETHUSA.arethusa.local”,“SourcePort”:“60460”,“DestinationIsIpv6”:“false”,“DestinationIp”:“192.168.1.206”,“DestinationPort”:“9000”,“EventReceivedTime”:“2019-05-15 15:00:51”,“SourceModuleName”:“in”,“SourceModuleType”:“im_msvistalog”}#015

I try to follow this link: https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog

But can’t split true information to have:


User :ARETHUSA
Protocol :“tcp”,
SourcePort ”:“60460”
DestinationPort ”:“9000”

When they say " Create the following pipeline rules in System > Pipelines > Manage rules as new rules." , we have lot of line, you know if I have to add it on ONE rule, or each part of this file by distincts rules ?

If you have other ideas on suggestion…

Thank you.

(Jan Doberstein) #2

unless you use nxlog here for a reason, my suggestion is to use winlogbeat to transfer windows event log to Graylog. This is more stable than the way with nxlog …

1 Like
#3

Thank you for answer, I think I will do that.

So:
On windows I can Install WinlogBeat with [output] logstash
On logstash [input] winlogbeat, [output] Graylog
On graylog add input “beat”

This logical looks good for you ?

(Jan Doberstein) #4

nope - you added to many moving parts.

Install winlogbeat on windows, use logstash output to ingest the messages direct to graylog (where you need a beats input).

#5

Hello, Thank for answer,

In your describe, the architecture is the following:

[WindowsServer[Winlogbeat_component_send_by_logstash_output_configuration]]==>[GraylogLinux[Inputbeat_with_sidecar]]

In my context, our needs a “broker zone” same as:

[WindowsServer[Winlogbeat_component_send_by_logstash_output_configuration]]==>[Logstash+Rsyslog_central_server[receive_winlogbeat_and_resend_to_graylog]]==>[GraylogLinux[Inputbeat_with_sidecar]]