Hi guys
What do you suggest for building a comprehensive Sysmon dashboard for up to 50 Windows servers?
Do I have to create a standalone dashboard for each server?
If anyone has an idea, help me
thank you very much
@bahram
Well… depends. What kind of data you want from those 50 servers?
If its an over all view of you 50 servers like “failed logon’s, Services were installed, Account Changed , logon after hours,Windows RDP Succeeded” then yes you shouldnt have a problem with one dashboard.
We have separted our servers into groups with different dashboards. For example all of our Domain controllers are on one dashbaord. SQL, Veeam, and gateway servers on another dashboard. That way I dont have to scoll down so far to see data. Also it doesnt require a lot of resource when loaded the dashboard.
What version of GL are you using?
Hi, gsmith
Thanks a lot for replay
graylog version 3.1
ok
I enabled sysmon for 50 windows server . AND I want to have Activity Malware (Event ID 2,8,12,22) for 50 server in ONE dashboard.
how can I do that !?
@bahram
Hello,
You may not be able to do this exactly since your using an earlier version of GL, but I believe you can make my steps works with GL 3.1. I posted some links to help you out.
First, create a Dashboard, let’s call it “Windows EventID’s”.
Second, you need to make sure you have the field EventID in your Windows messages.
Shown below.
Third, you need to create a Global Search “EventID: 2”, shown below.
Fourth, make a Aggregation widget using “count & EventID”. and save widget.
Export it to the dashboard we created earlier called Windows EventID’s.
Make sure you click save in the upper right corner of the dashboard.
Rinse and repeat for event ID 8,12 and 22.
Example: One dashboard with your eventID’s you stated earlier.
You can find more information here below for Gl Verison 3.1
Hope that helps
Hi, gsmith
Thank you very much for your valuable guide
But the main question is, how to have a single dashboard (windows sysmon) for 50 servers?
Given that the number of Event IDs on each server is different?
Hello,
You want to see all 50 Servers on one dashboard with the EventID to each Server? If this is correct you can modify you widget to do so.
Example below I added source to my widegt to see any/all servers with that event ID.
By adjusting your widget, I’m sure you can get what you want to see on your dashboard.
If I’m incorrect could you show us what you want to see, maybe a demo?
Could you show us what you have tried to do?
Picture/s would be great.
Hope that helps
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.