Github에서 "Graylog_Content_Pack_Windows" 로 검색하여 해당 Content Pack을 다운받습니다
압축해제 후 json 파일을 준비합니다.
사전준비
- 서버측 방화벽 open
[root@graylog srv]# sudo firewall-cmd --add-port=5044/tcp --permanent
success
[root@graylog srv]# sudo firewall-cmd --reload
successWeb 작업
Content Pack 설치
- System -> Content Packs 에서 "upload" (Windows-ALL-Security-Content-Pack.json)
- install
서버 작업
csv 파일 서버 업로드
압축폴더 내 \archives\csv\ 6개 csv 파일 업로드 (적당한 파일전송 util 이용하여 전송 )
[root@graylog srv]# ls -al
total 1312
drwxr-xr-x. 2 root root 186 Apr 30 14:11 .
dr-xr-xr-x. 19 root root 255 Apr 17 17:07 ..
-rw-r--r--. 1 graylog graylog 38407 Apr 30 14:11 Windows-EventID-to-EventDescription.csv
-rw-r--r--. 1 graylog graylog 159 Apr 30 14:11 dhcpv4_opcode.csv
-rw-r--r--. 1 graylog graylog 3862 Apr 30 14:11 file_monitoring_permissions.csv
-rw-r--r--. 1 graylog graylog 1174398 Apr 30 14:11 macaddress_list.csv
-rw-r--r--. 1 graylog graylog 481 Apr 30 14:11 registry.csv
-rw-r--r--. 1 graylog graylog 114319 Apr 30 14:11 windows_id.csv
[root@graylog srv]#/srv 권한 수정
[root@graylog /]# sudo chgrp graylog /srv/
[root@graylog /]# cd /srv
[root@graylog srv]# sudo chown graylog:graylog /srv/*.csv
[root@graylog srv]#에이전트 작업
Winlogbeat 설치 (Win)
Winlogbeat 7.x 설치.
위 Github Note에 보면 최종 호환성은 7에서 확인했다고 함
Past Releases of Elastic Stack Software | Elastic
Winlogbeat.yml 설정 (Win)
압축파일에 제공되는 내용 중 일부는 오류 발생으로 주석 처리하였고,
"fields_under_root: true" 옵션 추가함
하단의 Logstash Output 에서 본인 서버 IP로 수정
### WORKS ONLY FOR WINLOGBEAT 7.X versions, NOT 8.X
fields_under_root: true
winlogbeat.event_logs:
# Account Management
- name: Security
event_id: 4627, 4703-4705, 4720, 4722-4735, 4737-4739, 4741-4767, 4780-4782, 4793, 4794, 4798, 4799, 5376, 5377
ignore_older: 24h
tags: [accountmanagement]
# Active Directory
- name: Security
event_id: 4661, 4662, 14080, 5136-5139, 5141, 4713, 4706, 4707, 4716-4718, 4739, 4864-4867
ignore_older: 24h
tags: [activedirectory]
- name: Microsoft-Windows-NTLM/Operational
level: info
ignore_older: 24h
tags: [activedirectory]
# DNS Server
- name: DNS Server
channel: DNS Server
ignore_older: 24h
tags: [dnsserver]
- name: Microsoft-Windows-DNSServer/Audit
ignore_older: 24h
tags: [dnsserver]
# DHCP Server
# - name: Microsoft-Windows-Dhcp-Server/Operational
# ignore_older: 24h
# tags: [dhcpserver]
#FileSystem Monitor
- name: Security
event_id: 4656, 4663, 4670, 4907, 5140, 5142-5145
ignore_older: 24h
tags: [filesystem]
processors:
- drop_event.when.not.or:
- equals.winlog.event_data.ObjectType: "File"
- drop_event.when.or:
- regexp.winlog.event_data.winlog_task: 'Authorization Policy Change'
- regexp.winlog.event_data.winlog_task: 'Audit Policy Change'
- equals.winlog.event_data.winlog_task: "Registry"
- equals.winlog.event_data.winlog_task: "Kernel Object"
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-18'
- equals.winlog.event_data.SubjectUserSid: 'S-1-5-19'
#cant see the diff between human/computer action opening a folder, too many logs
- regexp.winlog.event_data.AccessList: '^%%4416.*'
# dont need to know who read which permission
- regexp.winlog.event_data.AccessList: '^%%1538.*'
- regexp.winlog.event_data.AccessList: '^%%1539.*'
- regexp.winlog.event_data.AccessList: '^%%1542.*'
#we dont need to monitor synchronize status event
- regexp.winlog.event_data.AccessList: '^%%1541.*'
#we do not need to know who read/write extended attribute
- regexp.winlog.event_data.AccessList: '^%%4419.*'
- regexp.winlog.event_data.AccessList: '^%%4420.*'
#computers always executing dll which gives too many logs
- regexp.winlog.event_data.AccessList: '^%%4421.*'
#too many logs for ReadAttributes event, on everyaction, it reads attribute
- regexp.winlog.event_data.AccessList: '^%%4423.*'
- regexp.winlog.event_data.AccessList: '^%%4424.*'
#dont need to know some activites automated by the system using user permission
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\PenWorkspace.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\CLR_v4.0.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Internet Explorer\\CacheStorage.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Windows\\Recent\\AutomaticDestinations.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Packages.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Google\\Chrome\\Application\\SetupMetrics.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Edge\\User Data.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\[a-zA-Z0-9._~-]+\\cache2.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Temp.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\D3DSCache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Microsoft\\Windows\\DeliveryOptimization.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\NVIDIA Corporation\\Drs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\ProgramData\\USOShared\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\Logs.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\System32\\LogFiles.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Local\\Microsoft\\Token\\Cache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\Roaming\\Microsoft.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Users\\[a-zA-Z0-9._~-]+\\AppData\\LocalLow\\Microsoft\\CryptnetUrlCache.*'
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\Windows\\Temp.*'
#dont need to know recycle bin activites, we already have the Delete event (%%1537)
- regexp.winlog.event_data.ObjectName: '^(?i)C\:\\\$Recycle.Bin.*'
##### ******* Application Crashes ******** ######
- name: Application
event_id: 1000, 1002
ignore_older: 24h
tags: [windowsappscrash]
level: error
provider:
- Application Error
- Application Hang
- name: Application
event_id: 1001
ignore_older: 24h
tags: [windowsappscrash]
level: info
provider:
- Windows Error Reporting
##### ******* Bits ******** ######
- name: Microsoft-Windows-Bits-Client/Operational
ignore_older: 24h
tags: [windowsbits]
processors:
- drop_event.when.or:
- equals.winlog.event_id: 3
- equals.winlog.event_id: 5
- equals.winlog.event_id: 61
- equals.winlog.event_id: 16403
##### ******* EMET ******** ######
- name: Application
event_id: 1, 2
level: warning, error
tags: [windowsemet]
provider:
- EMET
##### ******* Code Integrity ******** ######
- name: Microsoft-Windows-CodeIntegrity/Operational
event_id: 3001, 3002, 3003, 3004, 3010, 3023
ignore_older: 24h
tags: [windowscodeintegrity]
level: error, warning
provider:
- Microsoft-Windows-CodeIntegrity
- name: Security
event_id: 5038, 6281, 6410
ignore_older: 24h
tags: [windowscodeintegrity]
level: info
provider:
- Microsoft-Windows-Security-Auditing
##### ******* Exploit Guard ******** ######
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1121, 1122, 5007
ignore_older: 24h
tags: [windowsexploitguard]
- name: Microsoft-Windows-Windows Defender/WHC
event_id: 1121, 1122, 5007
ignore_older: 24h
tags: [windowsexploitguard]
- name: Microsoft-Windows-Security-Mitigations/KernelMode
event_id: 1-9, 11-24, 5, 260
ignore_older: 24h
tags: [windowsexploitguard]
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
# - name: Microsoft-Windows-Win32k/Concurrency
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Contention
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Messages
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Operational
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Power
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Render
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/Tracing
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
# - name: Microsoft-Windows-Win32k/UIPI
# event_id: 1-24, 5, 260
# ignore_older: 24h
# tags: [windowsexploitguard]
# provider:
# - Microsoft-Windows-Security-Mitigations
# - Microsoft-Windows-WER-Diag
# - Microsoft-Windows-Win32kv
# - Win32k
- name: System
event_id: 1-24, 5, 260
ignore_older: 24h
tags: [windowsexploitguard]
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Security-Mitigations/UserMode
event_id: 1-24, 5, 260
ignore_older: 24h
tags: [windowsexploitguard]
provider:
- Microsoft-Windows-Security-Mitigations
- Microsoft-Windows-WER-Diag
- Microsoft-Windows-Win32kv
- Win32k
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1125, 1126, 5007
ignore_older: 24h
tags: [windowsexploitguard]
- name: Microsoft-Windows-Windows Defender/WHC
event_id: 1125, 1126, 5007
ignore_older: 24h
tags: [windowsexploitguard]
##### ******* Drivers ******** ######
- name: System
event_id: 219
ignore_older: 24h
tags: [windowsdrivers]
level: warning
provider:
- Microsoft-Windows-Kernel-PnP
- name: Microsoft-Windows-DriverFrameworks-UserMode/Operational
event_id: 2004
ignore_older: 24h
tags: [windowsdrivers]
- name: System
level: critical, error
ignore_older: 24h
tags: [windowsdrivers]
processors:
- drop_event.when.or:
- equals.winlog.event_id: 7000
- equals.winlog.event_id: 7001
- equals.winlog.event_id: 10016
- equals.winlog.event_id: 24629
- equals.winlog.event_id: 10010
- equals.winlog.event_id: 11060
- equals.winlog.event_id: 41
- equals.winlog.event_id: 124
- equals.winlog.event_id: 34
##### ******* Windows OS ******** #######
- name: Security
event_id: 4608, 4610, 4611, 4614, 4622, 4697, 4719, 4817, 4826, 4902, 4904, 4905, 4906, 4908, 4912
ignore_older: 48h
tags: [windowsos]
- name: System
event_id: 12, 13, 1074
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-Kernel-General
- USER32
- name: System
event_id: 16962, 16965, 16968, 16969, 41, 1001, 6008, 4621
ignore_older: 24h
tags: [windowsos]
- name: Microsoft-Windows-SMBServer/Audit
event_id: 3000
ignore_older: 24h
tags: [windowsos]
provider:
- Microsoft-Windows-SMBServer
##### ******* Windows USB ******** #######
# - name: Microsoft-Windows-USB-USBHUB3-Analytic
# processors:
# - drop_event.when.not:
# and:
# - equals.winlog.event_data.DeviceDescription: "USB Mass Storage Device"
# event_id: 43
# ignore_older: 24h
# tags: [windowsusb]
# level: information
# provider:
# - Microsoft-Windows-USB-USBHUB3
- name: Microsoft-Windows-Kernel-PnP/Configuration
processors:
- drop_event.when.not:
and:
- equals.winlog.event_data.DriverName: ""usbstor.inf""
event_id: 400, 410
ignore_older: 24h
tags: [windowsusb]
level: information
provider:
- Microsoft-Windows-Kernel-PnP
- name: Security
event_id: 6416, 6419-6424
ignore_older: 24h
tags: [windowsusb]
processors:
- drop_event.when.or:
- regexp.winlog.event_data.DeviceDescription: '^Microsoft Print to PDF.*'
- regexp.winlog.event_data.DeviceDescription: '^Microsoft XPS Document Writer.*'
- regexp.winlog.event_data.DeviceDescription: '^Generic Non-PnP Monitor.*'
##### ******* Windows Registry ******** #######
- name: Security
event_id: 4657
ignore_older: 24h
tags: [windowsregistry]
processors:
- drop_event.when.not:
or:
- equals.winlog.event_data.OperationType: "%%1904"
- equals.winlog.event_data.OperationType: "%%1905"
- equals.winlog.event_data.OperationType: "%%1906"
#Drop all registry events not critical to monitor
- drop_event.when.not.or:
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Startup.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\Scripts\\Shutdown.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Control\\SafeBoot\\AlternateShell.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Active Setup\\Installed Components.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SYSTEM\\CurrentControlSet\\Services.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\SharedTaskScheduler.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellServiceObjects.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\ShellServiceObjectDelayLoad.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Drive\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\ShellEx\\CopyHookHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Directory\\Background\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\ContextMenuHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\Folder\\ShellEx\\DragDropHandlers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers.*'
- regexp.winlog.event_data.ObjectName: '(?i)^\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WinLogon\\GPExtensions.*'
##### ******* Windows Firewall ******** #######
- name: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
event_id: 2002, 2004, 2005, 2006, 2009, 2033, 2099, 2097, 2010
ignore_older: 24h
tags: [windowsfirewall]
level: error, info
provider:
- Microsoft-Windows-Windows Firewall With Advanced Security
- name: Security
event_id: 4944-4954, 4956-4958, 5024, 5025, 5037, 5027-5030, 5032-5035, 5031, 5150, 5151, 5154-5157, 5159
ignore_older: 24h
tags: [windowsfirewall]
processors:
- drop_event.when.or:
- regexp.winlog.event_data.DestAddress: '239.255.255.250'
- regexp.winlog.event_data.DestAddress: '((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)(\.(25[0-5]|2[0-4]\d|1\d\d|[1-9]?\d)){3}))|:)))(%.+)?'
- regexp.winlog.event_data.Application: 'dns.exe'
##### ******* Windows Service ******** #######
- name: System
event_id: 7022-7024, 7026, 7031, 7032, 7034, 7040, 7045
ignore_older: 24h
tags: [windowsservice]
level: error, info, crit, warn
provider:
- Service Control Manager
processors:
- drop_event.when.or:
- regexp.winlog.event_data.param1: '^Programme d’installation pour les modules Windows.*'
- regexp.winlog.event_data.param1: '^Service de transfert intelligent en arrière-plan.*'
##### ******* Windows EventLog ******** #######
- name: System
event_id: 104
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
- name: Security
event_id: 1100, 1104, 1105, 1108
ignore_older: 24h
tags: [windowseventlog]
- name: Security
event_id: 1102
ignore_older: 24h
tags: [windowseventlog]
level: info
provider:
- Microsoft-Windows-Eventlog
##### ******* Windows PowerShell ******** #######
- name: Windows PowerShell
event_id: 400, 403, 600, 800
ignore_older: 48h
tags: [powershell-legacy]
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4105, 4106
ignore_older: 48h
tags: [powershell]
processors:
- drop_event.when.or:
- equals.winlog.event_id: 4104
- equals.winlog.event_id: 4100
- equals.winlog.event_id: 32784
- name: Microsoft-Windows-PowerShell/Admin
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
- name: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager/Operational
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
- name: Microsoft-Windows-Shell-Core/Operational
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
- name: Microsoft-Windows-Shell-Core/LogonTasksChannel
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
- name: Microsoft-Windows-Shell-Core/AppDefaults
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
- name: Microsoft-Windows-Shell-Core/ActionCenter
level: 'critical, error'
ignore_older: 24h
tags: [powershell]
# - name: PowerShellCore/Operational
# level: 'critical, error, warning'
# ignore_older: 24h
# tags: [powershell]
##### ******* SSH ******** #######
- name: OpenSSH/Operational
level: 'critical, error, warning'
ignore_older: 24h
tags: [windowsopenssh]
- name: OpenSSH/Admin
level: 'critical, error, warning'
ignore_older: 24h
tags: [windowsopenssh]
##### ******* WMI Activity ******** #######
- name: Microsoft-Windows-WMI-Activity/Operational
#event_id: 5857,5858,5859,5860,5861
level: 'critical, error'
ignore_older: 24h
tags: [windowswmi]
processors:
- drop_event.when.or:
- equals.winlog.event_id: 5858
# - name: Microsoft-Windows-TPM-WMI
# level: 'critical, error'
# ignore_older: 24h
# tags: [windowswmi]
##### ******* Windows Privilege ******** #######
- name: Security
event_id: 4673, 4674, 4985
ignore_older: 24h
tags: [windowsprivilege]
##### ******* Windows Process ******** #######
- name: Security
event_id: 4688, 4689
ignore_older: 24h
tags: [windowsprocess]
##### ******* Windows Task ******** #######
- name: Microsoft-Windows-TaskScheduler/Operational
event_id: 106, 129, 141, 142, 200, 201
ignore_older: 24h
tags: [windowstask]
provider:
- Microsoft-Windows-TaskScheduler
- name: Security
event_id: 4698-4702
ignore_older: 24h
tags: [windowstask]
##### ******* DNS Client ******** #######
- name: Microsoft-Windows-DNS-Client/Operational
event_id: 3006, 3008, 3010, 3018
ignore_older: 24h
tags: [windowsdnsclient]
processors:
- drop_event.when:
or:
- equals.winlog.event_data.QueryOptions: "140737488355328"
- equals.winlog.event_data.QueryResults: ""
##### ******* Windows RDP ******** #######
- name: Microsoft-Windows-TerminalServices-RDPClient/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
ignore_older: 24h
tags: [windowsrdp]
level: crit, error, info, warn
- name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-Printers/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-Printers/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-PnPDevices/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-PnPDevices/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-LocalSessionManager/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-ClientUSBDevices/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Admin
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
- name: Microsoft-Windows-TerminalServices-SessionBroker-Client/Operational
level: crit, error, info, warn
ignore_older: 24h
tags: [windowsrdp]
##### ******* GPO Errors ******** #######
- name: System
event_id: 1085, 1125, 1127, 1129
ignore_older: 24h
tags: [windowsgpoerrors]
level: error
provider:
- Microsoft-Windows-GroupPolicy
- name: Security
event_id: 6144, 6145
ignore_older: 24h
tags: [windowsgpoerrors]
##### ******* Account Lockout & Auth ******** #######
- name: Security
event_id: 4624-4627, 4634, 4647, 4649, 4672, 4675, 4740, 4774-4779, 4800-4803, 4964, 5378
level: info
ignore_older: 24h
tags: [auth]
provider:
- Microsoft-Windows-Security-Auditing
processors:
- drop_event.when:
or:
- equals.winlog.event_data.TargetUserSid: 'S-1-5-18'
- regexp.winlog.event_data.TargetUserName: '.*\$'
- name: Security
event_id: 4768, 4769, 4770, 4771, 4772, 4773
ignore_older: 24h
tags: [auth]
##### ******* Windows Defender ******** #######
- name: Microsoft-Windows-Windows Defender/Operational
event_id: 1006-1009, 1116-1119
ignore_older: 24h
tags: [windowsdefender]
# ------------------------------ Javascript processors -------------------------------
processors:
- script:
when.equals.winlog.channel: Security
lang: javascript
id: security
file: C:\Program Files\winlogbeat\7.17.27\module\security\config\winlogbeat-security.js
when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
lang: javascript
id: sysmon
file: C:\Program Files\winlogbeat\7.17.27\module\sysmon\config\winlogbeat-sysmon.js
when.equals.winlog.channel: Microsoft-Windows-Sysmon
lang: javascript
id: sysmon
file: C:\Program Files\winlogbeat\7.17.27\module\sysmon\config\winlogbeat-sysmon.js
when.equals.winlog.channel: Windows PowerShell
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: Microsoft-Windows-PowerShell/Admin
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: Microsoft-Windows-PowerShell
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: Microsoft-Windows-Shell-Core
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: PowerShellCore/Operational
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
when.equals.winlog.channel: PowerShellCore
lang: javascript
id: powershell
file: C:\Program Files\winlogbeat\7.17.27\module\powershell\config\winlogbeat-powershell.js
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["1.1.1.1:5044"]
# ================================== Logging ===================================
logging.level: info
logging.to_files: true
logging.files:
path: C:\Program Files\winlogbeat\7.17.27\Logs
name: winlogbeat
logging.files.rotateeverybytes: 209715200
확인
Agent 재시작 및 웹 접속 확인
오작동시 점검 포인트
- csv 못찾을 때
- System-Lookup Tables → Data Adapters 에서 각각 실제 csv 경로 위치로 변경
- lookup test를 수행해서 csv에 등록된 정보로 lookup이 잘 되는지 확인
- content pack에서 지정된 input이 running 상태인지 확인
- content pack을 install 하면 자동으로 input 에 beats 가 생성되는데 임의로 변경하면 안됨.
- content pack의 view를 확인해 보면 beats 라는 title이 input type으로 되어 있음 (필요시 여기서 수정)
- winlogbeat.yml 파일에 tags로 분류하여 전송하는데,, tags의 이름이 쓰이고 있음
'OpenSource > Graylog' 카테고리의 다른 글
| Windows Event log를 Graylog로 수집 (Winlogbeat) (0) | 2025.04.22 |
|---|---|
| Graylog서버에 FortiGate Log 연동 (0) | 2025.04.17 |
| MongoDB 설치시 CPU 이슈 (1) | 2025.04.10 |
| Graylog Server Log Data 위치 변경 (0) | 2025.04.10 |
| Graylog6 설치 하기 (Rocky linux 9.5) (0) | 2025.04.03 |