Setting up Security Onion & initial host logging using Sysmon/WinLogBeat with Logstash and Kiban
In today's article, I will write about setting up and configuring Security Onion as well as configuring a windows10 machine to send windows event logs and sysmon logs to Kibana (SIEM and Visualization platform in security onion).
My lab setup is a small one, I configured a custom "NAT" Vnet and added couple of windows and linux clients, a Microsoft essentials server, a Kali box, SIFT workstation and Security Onion instance.
Security onion was configured with the below 3 interfaces:
The management interface which is in NAT mode so we can update the box
A listener interface configured in promisucous mode. (Bridged mode is in promiscous mode by default)
Another interface which will act as a listener for the log collection. This interface is configured as the custom Vnet.
You can follow the below blog to initially configure your SO instance:
It is quite straightforward.
*Note* MAKE SURE YOU CONFIGURE THE CORRECT TIMEZONE - ONLY MONSTERS CONFIGURE INCORRECT TIMEZONES ON A LOG COLLECTOR
Once the setup is ready, you can check if SGUIL is picking up the logs. I ran a simple nmap against one of the windows machine to get the results:
SGUIL uses UTC timezone as per the below article.
Trying to use a non-UTC timezone can result in the following:
Time zones that have daylight saving time have a one-hour time warp twice a year. This manifests itself in Sguil not being able to pull transcripts for events within that one-hour time period. This is avoided by using UTC, since there is no daylight saving time.
Something similar can happen on a daily basis under certain conditions. If there is a discrepancy between the OS timezone and the Sguil UTC settings, then Sguil will be unable to pull transcripts for events in a window of time around midnight coinciding with the timezone's offset from UTC.
Now that our instance is up and running, let's set up the Windows machine for the desired logging. First thing I did was to download Sysmon, you can download the latest version from here:
Installing Sysmon is pretty easy, run the below in an elevated command prompt:
sysmon -accepteula –i –h md5,sha256 –n
This command will Install with md5 and sha256 hashing of process created and monitoring network connections. This command will use the default configuration file. I grabbed a sample config file to add events generated by lsass (because, you know, mimikatz and stuff). You can find the Sample config here:
I added the below to the config file:
I, than installed sysmon by running the below command:
Sysmon.exe -accepteula -i Sysmonconfig-export.xml -h md5,sha256 -n -l
Make sure to make the Sysmon service autostart:
sc config Sysmon start= auto
Check the status by:
Sc query sysmon
Since we have appropriate logging, we need the Sysmon logs as well as the system logs to be sent to our ELK instance (Security Onion box). In order to do so, I have used a light weight logcollector called WinLogBeat. Winlogbeat is the mechanism that will ship off the log events from the Windows 10 host to the ELK instance.
You can read more about it in this article:
Download the agent from:
The link also contains configuration instruction. Once downloaded, the folder contains the configuration file (winlogbeat.yml) as well as the powershell scripts. Make sure you have the below configurations in the file:
Next, you will modify the destination to send the logs to your ELK instance, SO in this case:
Since the elastic search is not configured on this box, we will comment out the "#output.elasticsearch" and "# hosts: ["localhost:9300"]". We will now define the destination under the "Output.logstash" section, this will be commented out by default. Next to "hosts:" put in the IP address of your ELK instance.
Once, completed - Install the Winlogbeat (via elevated Powershell console) by running the below commands and creating an auto-start service for the WinLogBeat:
powershell -Exec bypass -File .\install-service-winlogbeat.ps1
Set-Service -Name "winlogbeat" -StartupType automatic
Start-Service -Name "winlogbeat"
Last step is to allow the SO instance to accept the traffic coming in on port 5044. Run the below command on the SO terminal:
And choose option "b", put in the allowed range of ips or subnets that are allowed to send traffic on port 5044.
You can login to Kibana and should be able to see the logs coming in under the index "*:logstash-beats-*" . Kibana has a pre-built indexer for Beats, it will automatically parse the raw logs and provide you with the below information
As an example - I attempted a failed privilege escalation of a process "cmd.exe" on the Windows-10 machine:
In Kibana, we can see the below logs:
On expanding the log, you can find useful information like eventID 4776, Audit Failure, ProcessID, ProcessThreadID etc…
Thanks for reading it till the end! I hope this was helpful………………………………….Happy Hunting!