Introduction
In this project, I set up log ingestion for Sysmon and Windows Defender event logs into Elasticsearch, enabling real-time monitoring of system activities on a Windows Server. The integration process involved configuring custom event logs, connecting Sysmon and Windows Defender channels, and troubleshooting network issues to ensure smooth data transmission. This project enhances security visibility by centralizing critical event logs in a single platform for analysis and threat detection.
Step 1: Logging into Elasticsearch Dashboard
To begin, I logged into my Elasticsearch dashboard. From the homepage, I navigated to the Integrations Menu. Here, I searched for and selected the Custom Windows Event Log integration.
Step 2: Adding Sysmon Logs Integration
On the Custom Windows Event Log integration page, I clicked the Add Custom Windows Event Log button to start configuring the integration.
I named my integration MyDFIR-WIN-Sysmon. For the channel name, I connected to my Windows Server via Remote Desktop Protocol (RDP) and navigated to:
- Event Viewer > Applications and Services Logs > Microsoft > Windows > Sysmon
From the properties of the Operational file in the Sysmon folder, I copied the Full Name as the channel name.
After pasting the channel name in the integration form, I kept the default settings. I then added the host to an existing Agent Policy and saved the integration.
Step 3: Adding Windows Defender Logs Integration
I followed a similar process to add the Windows Defender Logs. Clicking Add Custom Windows Event Log, I named this integration MyDFIR-WIN-Defender. For the channel name, I returned to the Windows Server, navigated to the Windows Defender folder, and copied the channel name from the properties of the Operational file.
In the configuration, I specified the following Event IDs:
Event ID 1116 – Malware Detected: Logged when Windows Defender detects a threat, providing details like the malware name, severity level, and action taken (quarantine/removal).
Event ID 1117 – Malware Remediation Failed: Triggered when Windows Defender fails to remove detected malware.
Event ID 5001 – Real-time Protection Status: Logs the status of real-time protection in Windows Defender, useful for monitoring if real-time protection is enabled or disabled.
I added the host to the existing agent policy and saved the configuration.
Step 4: Troubleshooting Data Ingestion
After setting up the integrations, I noticed that no data was being received on the dashboard. I restarted the Elastic Agent service on my Windows Server by going to:
- Services > Elastic Agent > Restart
However, this did not resolve the issue. I then checked the firewall rules on my Elasticsearch instance and discovered that port 9200 was blocked. I modified the firewall to allow traffic on port 9200.
Once the firewall rule was adjusted, I began to see data flowing into my Elasticsearch dashboard.
Conclusion
This project involved configuring Sysmon and Windows Defender integrations in Elasticsearch to ingest important event logs from my Windows Server. After configuring the integrations, troubleshooting included restarting services and adjusting firewall settings to allow data flow. With the logs now successfully ingested, I can monitor and analyze system activities in real time.