The universal-winlogbeat-configuration from jhochwald

universal-winlogbeat-configuration's Introduction

Hi there 👋

Write-Output -InputObject 'Josh is an independent IT consultant based in the metropolitan area of Frankfurt am Main, Germany providing expertise to corporate, enterprise, government clients.'
Write-Output -InputObject ''
Write-Output -InputObject ('With over ' + ((Get-Date -Format 'yyyy') - 1990)  + ' years of IT experience, Josh has built up a compelling reputation within his industry and is a respected technology consultant and developer.')
Write-Output -InputObject ''
Write-Output -InputObject 'With exceptional design and problem-solving skills through precise methodologies applied at both technical and business levels, Josh strives to achieve the best business outcomes. He is known for his attention to detail with infrastructure assessment, architecture/design, and implementation, from both customers and peers.'
Write-Output -InputObject ''
Write-Output -InputObject 'Josh has worked on a wide variety of projects either independently and with systems integrator, and as such, has developed a high level of skill and experience in his niche.'
Write-Output -InputObject ''
Write-Output -InputObject 'Josh has close Vendor relationships and aligns with industry and vendor best practices. He puts his heart and soul into every job he does, and values and maintains high ethical standards, integrity, and morals.'
Write-Output -InputObject ''
Write-Output -InputObject 'He is an active member on several well-known Internet forums, runs his own websites, a blogger and active on Twitter. He supports the open-source community, by publish a lot of his code and support several open-source projects.'

universal-winlogbeat-configuration's People

Contributors

Stargazers

Watchers

universal-winlogbeat-configuration's Issues

Great repo!

I have found this repo extraordinarily informative and helpful along with the blog https://hochwald.net/ship-windows-event-logs-with-winlogbeat.

I was wondering, is this is the same configuration you use on domain controllers?
Additionally I was wondering what audit policies you like to turn on in accordance with this.

config test error error initializing processors

downloaded new config and am getting
Exiting: error initializing processors: each processor must have exactly one action, but found 5 actions (script,when,lang,id,file)
winlogbeat v 7.16.3

i was able to get it to pass a config test by removing the following lines


  # As requested by our external CISO service
  - name: ForwardedEvents
    tags: [forwarded]
    processors:
      - script:
        when.equals.winlog.channel: Security
        lang: javascript
        id: security
        file: ${path.home}/module/security/config/winlogbeat-security.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
        lang: javascript
        id: sysmon
        file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      - script:
        when.equals.winlog.channel: Windows PowerShell
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
      - script:
        when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
        lang: javascript
        id: powershell
        file: ${path.home}/module/powershell/config/winlogbeat-powershell.js


# General processors
processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

# Add JS Infos
processors:
  - script:
    when.equals.winlog.channel: Security
    lang: javascript
    id: security
    file: ${path.home}/module/security/config/winlogbeat-security.js

processors:
  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Sysmon
    lang: javascript
    id: sysmon
    file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

processors:
  - script:
    when.equals.winlog.channel: Windows PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell/Admin
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-PowerShell
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: Microsoft-Windows-Shell-Core
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore/Operational
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

  - script:
    when.equals.winlog.channel: PowerShellCore
    lang: javascript
    id: powershell
    file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

basically every mention of lang:

otherwise i am happy with the file.
thanks.

Recommend Projects