Parse stored Windows Event logs with Security Onion

Security Onion

Security Onion is a free tool to monitor for suspicious activity in network events. I find it very easy to use, especially if you integrate the MISP threat data with the Bro -Zeek- intelligence framework. Besides investigating network events, you can also use it to analyze Windows Event logs, both from a live event stream and for analyzing stored Windows events.

Winlogbeat

Winlogbeat, part of Elastic, is the shipper that we will use to send the logfiles to Security Onion, more precisely, the Logstash docker container running within Security Onion. With Winlogbeat you can subscribe to a number of Windows log channels and then have the selected events send to a log collector. The configuration is explained in detailed in the documentation of Elastic but some interesting features include

  • ignore_older : Ignore older log events; useful if you configure a new system and you’re only interested in the new events;
  • processors : Enhance data locally, before sending it to the log collector; useful for the Sysmon and Security channel;
  • event_id : Filter for specific event IDs;
  • add_host_metadata : Automatically add some host meta data to the log event;

Use Winlogbeat to read local files

Instead of subscribing to live log channels, you can also point Winlogbeat to a local -previously recorded- Windows Event log. You do not need to stop the ingesting of live events for this, both processes can exist along each-other.

This is the configuration file to have Winlogbeat read events from local log files.

winlogbeat.event_logs:
 - name: ${EVTX_FILE} 
   no_more_events: stop 

winlogbeat.shutdown_timeout: 30s 
winlogbeat.registry_file: evtx-registry.yml 

setup.template.settings:
  index.number_of_shards: 1

name: winlogbeat

tags: ["replay_windows", "securityonion", "winlogbeat"]

output.logstash:
  hosts: ["1.1.1.1:5044"]

processors:
  - add_host_metadata: ~

Then on a Windows host you can start ingesting the event log files with

.\winlogbeat.exe -e -c .\winlogbeat_stored_evtx.yml -E EVTX_FILE=c:\simulationset\sysmon_13_rdp_settings_tampering.evtx

If you need a set of Windows event log files to test your configuration, you can use the set at EVTX-ATTACK-SAMPLES.

There are some caveats though!

  • The Winlogbeat registry file keeps track of the last log file that was read. If you do multiple tests, do not forget to delete this file before every run. The file is in the data directory of your Winlogbeat installation;
  • The EVTX_FILE requires the absolute path to the log file. It will not work if you give it a relative path, even if the log file is in the current directory (fe. with ./);/
  • Do not forget that Security Onion comes with Curator installed. This will close the older Elastic indexes, for example those older than 90 days. The ingestion will not be successful If you leave Curator running while ingesting the log files. You can temporarily stop curator with so-curator-stop.

Logstash

The default Logstash configuration of Security Onion requires some changes before it can properly ingest data from the latest (7.5) Winlogbeat. You first need to export the correct index template from Winlogbeat and then have Logstash set so that it uses this template for the new index creation.

output {
  if "winlogbeat" in [tags] {
    elasticsearch {
      hosts => elasticsearch
      index => "logstash-winlog-%{+YYYY.MM.dd}"
      template_name => "winlogbeat"
      template => "/winlogbeat-7.5.1.json"
      template_overwrite => true
    }
  }
}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.