While the ELK cluster is typically used for live monitoring, Winlogbeat can be tweaked to manually send "cold logs," or old, inactive Windows Event Logs (EVTX) to ELK manually. This functionality allows an analyst to take EVTX files from images of systems collected and utilize the functionality of the ELK stack for their investigations - … Continue reading Manually upload EVTX log files to ELK with Winlogbeat and PowerShell
In one of my prior posts, Monitoring CentOS Endpoints with Filebeat + ELK, I described the process of installing and configuring the Beats Data Shipper Filebeat on CentOS boxes. This process utilized custom Logstash filters, which require you to manually add these in to your Logstash pipeline and filter all Filebeat logs that way. But … Continue reading Using Default Filebeat Index Templates with Logstash
Previously I had written a guide on Creating a Single-Node ELK Stack; covering what to do when you want create and utilize The Elastic Stack (also formally ELK) on a limited capacity, single-node basis. When assisting my roommate in creating an ELK stack of his own, I realized I had not yet described the process … Continue reading Creating a Multi-Node ELK Stack
In some of my previous posts regarding ELK, we have touched upon numerous ways of sending data from Windows endpoints - however not from much else. In the real world, thankfully, not everything runs off Microsoft's Operating System. Not to hit Microsoft in any way, but for anyone who has experienced systems administration in regards … Continue reading Monitoring CentOS Endpoints with Filebeat + ELK
The Elastic Stack (ELK) is an amazing index-searching tool, utilizing services such as Elasticsearch, Logstash, and Kibana to index and store logs and Beats Data Shippers such as Winlogbeat to ship them there. However, ELK can be just as scary, storing data from a plethora of different machines across one or more networks ripe for … Continue reading ELK + Beats: Securing Communication with Logstash by using SSL
By default on Ubuntu Server, Elasticsearch 6.6.0 is installed to the /var/lib/elasticsearch directory on the partition your OS resides on; the system partition. If you were to have an ELK cluster running in a production environment with 100+ endpoints feeding thousands of logs everyday, you may start to find that your Elasticsearch nodes' drives are … Continue reading Storing Elasticsearch Data on a Separate Ubuntu Partition
In one of my prior posts, I discussed the steps necessary to set up a Single-Node ELK Stack. If you were to follow this guide, Kibana, as it stands, would be accessible to anyone on your network over Port 5601 who knows its IP Address. For myself, I could always socially outcast my roommate if … Continue reading How to Install and Configure NGINX for Kibana
Burnham Forensics 