ELK-Win Event Log

Category: 電腦相關
Last Updated: Wednesday, 21 December 2016 15:51
Published: Tuesday, 13 December 2016 17:39
Written by sam
Print

For ELK system and windows event log

Here is result (this is kibana visualize count)

For Win event log

Turn on windows logon event log

Follow on

First gpedit.msc in WIN+R then Security Settings

Local Poliicies

Audit Policy

and setting like this

then you will see your ELK income something

and this is message

below is my nxlog config for win

<Input eventlog>
    Module      im_msvistalog
    Query       <QueryList>\
                    <Query Id="0">\
                        <Select Path="Application">*[System[(Level=1 or Level=2)]]</Select>\
                        <Select Path="System">*[System[(Level=1 or Level=2)]]</Select>\
                        <Select Path="Security">*[EventData[Data[@Name='ProcessName']='C:\Windows\System32\winlogon.exe'] and EventData[Data[@Name='IpAddress']!='-'] and System[(EventID=4624)] or System[(EventID=4778 or EventID=4779 or EventID=4720)]]</Select>\
     </Query>\
                </QueryList>
    Exec to_json();
</Input>

This link is windows event id for 2008r2 or win7

ELK-Win Event Log

Newest

MOST