-
Notifications
You must be signed in to change notification settings - Fork 58
Client Setup
To send event logs to SysmonSearch environment, it is necessary to execute the following applications on Windows client:
- Sysmon
- Winlogbeat
Download and install Sysmon.
Sysmon does not record network communication and registry-related events by default. To record selected events, it is nesessary to add rule to a configuration file and import it.
Create a configuration file according to your environment or use an existing file tuned by volunteers(sysmon-config by SwiftOnSecurity) and apply it to Sysmon.
# Install Sysmon(64bit):
sysmon64.exe -i sysmon-config-export.xml
# If applying a configuration file to the installed Sysmon:
sysmon64.exe -c sysmon-config-export.xml
Download and unzip Winlogbeat.
Modify the following part of the configuration file (winlogbeat.yml):
winlogbeat.event_logs:
- name: "Microsoft-Windows-Sysmon/Operational"
# It is necessary to delete the following default processors configuration:
# processors:
# - script:
# lang: javascript
# id: sysmon
# file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
...
# Configure ElasticSearch Server IP address
output.elasticsearch:
hosts: ["Elasticserach server IP address:9200"]If Winlogbeat needs to be a resident program, refer to Instruction by Elastic for installation.
The following command prompt can be executed instead:
.\winlogbeat.exe -e -c .\winlogbeat.yml
Create a configuration file as follows:
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 30s
output.elasticsearch.hosts: ['<Elasticsearch IP address>:9200']
Execute the Winlogbeat on the command prompt with the configuration file and the event log file :
.\winlogbeat.exe -e -c .\winlogbeat-evtx.yml -E EVTX_FILE=c:\your_sysmon_log.evtx