Monitoring System Administrators

Hi All,
My goal is to collect through graylog ONLY logs related to the operations performed by system administrators on multiple servers for example:

Administrative access on servers (Linux, Windows)
Administrative accesses to databases (mysql, sqlserver)
Server maintenance (Creation, disabling, password changes)
Network configurations (Changes)
Domain access on Windows clients
Access, modification, deletion of shared files on Windows shares

Is there a pre-built solution within the marketplace (possibly to be fixed)?
Thanks,
Greetings.

2 Likes

Thumbs up! who can help us with this concern.

The Graylog Marketplace is a good place to start looking for this… Although the marketplace is broken… meaning you have to follow the link to Github to get the most recent information on anything you find.

2 Likes

Nice very informative.

Ok thanks.
I’m a novice graylog user, could you explain how to find what I’m looking for?
Thanks,
Greetings.

I would create an extractor that pulls out usernames and then filter a search so it only shows usernames that are admins.

Graylog Marketplace Gives you all the links and explanation available for third party add-ons. There are no comprehensive step by step solutions for what you are looking for so it’s a lot of custom work.

Below is the one I am working on (from Github)… it is in the Graylog Marketplace but only as an initial snapshot when I was playing around and won’t update to what Github currently has (so… as I said… broken) the Github project is mostly monitoring AD but you can adjust it further to monitor anything you get firing in windows logs - which will take group policy adjustment (etc.) It should be enough framework for what you are looking for on the Windows side and perhaps on Linux depending on how you adjust it.

Hi @badrequest -

Unless you cannot find the vendor-specific content from the Marketplace, here’s what I would recommend:

Administrative access on servers (Linux, Windows) – AuditBeat from Elastic
Administrative accesses to databases (mysql, sqlserver) – NXlog ( use sidecar from Graylog )
Server maintenance (Creation, disabling, password changes) – FileBeat/AuditBeat from Elastic
Network configurations (Changes) – AuditBeat or Syslog, depending on the native format
Domain access on Windows clients – WinlogBeat from Elastic
Access, modification, deletion of shared files on Windows shares – AuditBeat from Elastic

You can find the link to all Beats downloads here: https://www.elastic.co/downloads/beats

Please read the documentation from the Elastic beats knowledge base as these documents will explain how to configure the modules in order to achieve the goals you mentioned above. Thanks!

Thanks for the advice, I will start working on these.
If anyone has other ideas, they are welcome!

for your request their is no pre-build, click-and-ready solution.

You need to collect the different logs, identify if they have the wanted information in them, normalize that data. This way you can get a picture what is happening.

All the above mentioned by @GL_Mike include some serious learning and you have no other option to make your wish come true. You might take the shortcut and pay someone for that.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.