Graylog + nxlog + sysmon

Hello,

I try to use Graylog, nxlog and sysmon to check Windows’logs.

For the moment I have log like that:

full_message

<13>May 15 15:00:52 rdp-arethusa.home {“EventTime”: “2019-05-15 15:00:49”,“Hostname”:“RDP-ARETHUSA.arethusa.local”,“Keywords”:-9223372036854775808,“EventType”:“INFO”,“SeverityValue”:2,“Severity”:“INFO”,“EventID”:3,“SourceName”:“Microsoft-Windows-Sysmon”,“ProviderGuid”:"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}",“Version”:5,“Task”:3,“OpcodeValue”:0,“RecordNumber”:5069,“ProcessID”:6044,“ThreadID”:6112,“Channel”:“Microsoft-Windows-Sysmon/Operational”,“Domain”:“AUTORITE NT”,“AccountName”:“Syst�me”,“UserID”:“S-1-5-18”,“AccountType”:“User”,“Message”:“Network connection detected:\r\nRuleName: \r\nUtcTime: 2019-05-15 13:00:47.598\r\nProcessGuid: {ED3958D4-C7CB-5CDB-0000-001086AE1200}\r\nProcessId: 5504\r\nImage: C:\Program Files\Mozilla Firefox\firefox.exe\r\nUser: ARETHUSA\Administrateur\r\nProtocol: tcp\r\nInitiated: true\r\nSourceIsIpv6: false\r\nSourceIp: 192.168.1.209\r\nSourceHostname: RDP-ARETHUSA.arethusa.local\r\nSourcePort: 60460\r\nSourcePortName: \r\nDestinationIsIpv6: false\r\nDestinationIp: 192.168.1.206\r\nDestinationHostname: \r\nDestinationPort: 9000\r\nDestinationPortName: “,“Category”:“Network connection detected (rule: NetworkConnect)”,“Opcode”:“Informations”,“UtcTime”:“2019-05-15 13:00:47.598”,“ProcessGuid”:”{ED3958D4-C7CB-5CDB-0000-001086AE1200}”,“Image”:“C:\Program Files\Mozilla Firefox\firefox.exe”,“User”:“ARETHUSA\Administrateur”,“Protocol”:“tcp”,“Initiated”:“true”,“SourceIsIpv6”:“false”,“SourceIp”:“192.168.1.209”,“SourceHostname”:“RDP-ARETHUSA.arethusa.local”,“SourcePort”:“60460”,“DestinationIsIpv6”:“false”,“DestinationIp”:“192.168.1.206”,“DestinationPort”:“9000”,“EventReceivedTime”:“2019-05-15 15:00:51”,“SourceModuleName”:“in”,“SourceModuleType”:“im_msvistalog”}#015

I try to follow this link: https://www.graylog.org/post/back-to-basics-enhance-windows-security-with-sysmon-and-graylog

But can’t split true information to have:


User :ARETHUSA
Protocol :“tcp”,
SourcePort ”:“60460”
DestinationPort ”:“9000”

When they say " Create the following pipeline rules in System > Pipelines > Manage rules as new rules." , we have lot of line, you know if I have to add it on ONE rule, or each part of this file by distincts rules ?

If you have other ideas on suggestion…

Thank you.

unless you use nxlog here for a reason, my suggestion is to use winlogbeat to transfer windows event log to Graylog. This is more stable than the way with nxlog …

1 Like

Thank you for answer, I think I will do that.

So:
On windows I can Install WinlogBeat with [output] logstash
On logstash [input] winlogbeat, [output] Graylog
On graylog add input “beat”

This logical looks good for you ?

nope - you added to many moving parts.

Install winlogbeat on windows, use logstash output to ingest the messages direct to graylog (where you need a beats input).

1 Like

Hello, Thank for answer,

In your describe, the architecture is the following:

[WindowsServer[Winlogbeat_component_send_by_logstash_output_configuration]]==>[GraylogLinux[Inputbeat_with_sidecar]]

In my context, our needs a “broker zone” same as:

[WindowsServer[Winlogbeat_component_send_by_logstash_output_configuration]]==>[Logstash+Rsyslog_central_server[receive_winlogbeat_and_resend_to_graylog]]==>[GraylogLinux[Inputbeat_with_sidecar]]

If you need such a complex setup - you would need to create extractors that separate the one big message into different fields.

If you would send beats direct into Graylog that would not have been needed. But in your shown setup you need to make that additional move.

1 Like

Ok thank you, I will try that and create new subject if need.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.