Monday, October 5, 2020

Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Winlogbeat - Elastic Stack 7.9 on Ubuntu 20.04

In this the eight and final post within this series, we install, configure and provide basic security for Winlogbeat. 

The first post, we installed Elasticsearch. In the second post we installed Kibana. This was followed by the third post where we provided basic security to Elastic and Kibana. In the fourth post, we installed, configured and secured Metricbeat and the fifth post, we installed, configured and secured Auditbeat. The sixth post, we installed, configured and provided basic security to Filebeat. In the seventh post, we installed, configured and provided basic security to Packetbeat.

Similar to the previous posts, we can start from "Add Data"

Winlogbeat Add Data

From the login page, I download the WINDOWS ZIP 64-BIT file. 

C:\Users\SecurityNik>certutil -f -URLCache "https://artifacts.elastic.co/downloads/beats/winlogbeat/winlogbeat-7.9.1-windows-x86_64.zip" winlogbeat-7.9.2.zip
****  Online  ****
CertUtil: -URLCache command completed successfully.

Verify the file has been downloaded successfully.

C:\Users\SecurityNik>dir winlogbeat-7.9.2.zip
 Volume in drive C is OS
 Volume Serial Number is D436-4013

 Directory of C:\Users\SecurityNik

2020-09-11  07:47 PM        19,156,840 winlogbeat-7.9.2.zip
               1 File(s)     19,156,840 bytes
               0 Dir(s)  31,707,971,584 bytes free

Expand the "winlogbeat-7.9.0" file into the current directory and verify the files within the archive.

PS C:\Users\SecurityNik> Expand-Archive -LiteralPath .\winlogbeat-7.9.2.zip -DestinationPath .

PS C:\Users\SecurityNik> dir .\winlogbeat-7.9.2-windows-x86_64\


    Directory: C:\Users\SecurityNik\winlogbeat-7.9.2-windows-x86_64                                                                                                                                                                                                                                      Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        2020-09-11   8:14 PM                kibana
d-----        2020-09-11   8:14 PM                module
-a----        2020-09-01   8:12 PM             41 .build_hash.txt
-a----        2020-09-01   8:10 PM         194542 fields.yml
-a----        2020-09-01   8:12 PM            897 install-service-winlogbeat.ps1
-a----        2020-09-01   6:50 PM          13675 LICENSE.txt
-a----        2020-09-01   6:51 PM        8440372 NOTICE.txt
-a----        2020-09-01   8:12 PM            832 README.md
-a----        2020-09-01   8:12 PM            254 uninstall-service-winlogbeat.ps1
-a----        2020-09-01   8:12 PM       62381056 winlogbeat.exe
-a----        2020-09-01   8:10 PM          54147 winlogbeat.reference.yml
-a----        2020-09-01   8:10 PM           8778 winlogbeat.yml

With those files extracted and since we are also providing some basic security, we need to copy the "SecurityNik-CA.pem" Certification Authority (CA) certificate to this system in the same folder with the other configuration files. Since this is not mutual authentication where the server also has to authenticate the client, we should be good to go here. If we look at the Winlogbeat directory again, we see the certificate and Sysmon.exe. I added Sysmon to get that extra level of logging which Sysmon provides. Basically, if you are monitoring your Windows environment and not using Sysmon, then I guess you are special.

PS C:\Users\SecurityNik> dir .\winlogbeat-7.9.2-windows-x86_64\


    Directory: C:\Users\SecurityNik\winlogbeat-7.9.2-windows-x86_64


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
...
-a----        2020-08-14   3:29 PM           1200 SecurityNik-CA.pem
-a----        2020-08-14   2:17 PM        4282224 Sysmon.exe
...

Let's first install Sysmon on the host.

C:\winlogbeat-7.9.2-windows-x86_64>sysmon -accepteula -i


System Monitor v11.11 - System activity monitor
Copyright (C) 2014-2020 Mark Russinovich and Thomas Garnier
Sysinternals - www.sysinternals.com

Sysmon installed.
SysmonDrv installed.
Starting SysmonDrv.
SysmonDrv started.
Starting Sysmon..
Sysmon started.

With Sysmon now installed, we next modify Winlogbeat's configuration file. Below represents the change in my environment

PS C:\Users\SecurityNik> type C:\winlogbeat-7.9.2\winlogbeat.yml | more
....
#================== Kibana =========================
host: "https://10.0.0.1:5601"


# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://10.0.0.1:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "WelcomeToSecurityNikElastic"


# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
      # Added by Nik
      geo:
        name: home-ON
        continent_name: North America
        geo.country_name: Canada
        country_iso_code: CA
        region_name: Ontario
        region_iso_code: Ontario
        city_name: GTA


# SSL Configuration enabled by Nik
ssl.enabled: true
output.elasticsearch.hosts: ["https://10.0.0.1:9200"]
output.elasticsearch.ssl.certificate_authorities: ["C:\\winlogbeat-7.9.2\\SecurityNik-CA.pem"]

setup.kibana.ssl.enabled: true
setup.kibana.ssl.certificate_authorities: ["C:\\winlogbeat-7.9.2\\SecurityNik-CA.pem"]

Rename and copy the winlogbeat folder to a simpler name and copy it to the root of the c: drive.

C:\Users\securitynik>xcopy /S /I /E .\winlogbeat-7.9.2 c:\winlogbeat-7.9.2\
.\winlogbeat-7.9.2\.build_hash.txt
.\winlogbeat-7.9.2\fields.yml
.\winlogbeat-7.9.2\install-service-winlogbeat.ps1
.\winlogbeat-7.9.2\LICENSE.txt
.\winlogbeat-7.9.2\NOTICE.txt
.\winlogbeat-7.9.2\README.md
.\winlogbeat-7.9.2\SecurityNik-CA.pem
.\winlogbeat-7.9.2\Sysmon.exe
.\winlogbeat-7.9.2\uninstall-service-winlogbeat.ps1
.\winlogbeat-7.9.2\winlogbeat.exe
.\winlogbeat-7.9.2\winlogbeat.reference.yml
.\winlogbeat-7.9.2\winlogbeat.yml
.\winlogbeat-7.9.2\kibana\7\dashboard\01c54730-fee6-11e9-8405-516218e3d268.json
.\winlogbeat-7.9.2\kibana\7\dashboard\71f720f0-ff18-11e9-8405-516218e3d268.json
.\winlogbeat-7.9.2\kibana\7\dashboard\8223bed0-b9e9-11e9-b6a2-c9b4015c4baf.json
.\winlogbeat-7.9.2\kibana\7\dashboard\bb858830-f412-11e9-8405-516218e3d268.json
.\winlogbeat-7.9.2\kibana\7\dashboard\Powershell-Overview-Dashboard.json
.\winlogbeat-7.9.2\kibana\7\dashboard\Winlogbeat-overview.json
.\winlogbeat-7.9.2\module\powershell\config\winlogbeat-powershell.js
.\winlogbeat-7.9.2\module\security\config\winlogbeat-security.js
.\winlogbeat-7.9.2\module\sysmon\config\winlogbeat-sysmon.js
21 File(s) copied

With the files now copied, let's test our configuration.

C:\winlogbeat-7.9.2>winlogbeat.exe test config
Config OK

Configuration looks "OK". 

Now to test that everything else is good to go.

C:\winlogbeat-7.9.2>winlogbeat.exe test config
Config OKC:\winlogbeat-7.9.1>winlogbeat test output --e
2020-09-11T18:52:42.260-0700    INFO    instance/beat.go:640    Home path: [C:\winlogbeat-7.9.2] Config path: [C:\winlogbeat-7.9.1] Data path: [C:\winlogbeat-7.9.2\data] Logs path: [C:\winlogbeat-7.9.2\logs]
2020-09-11T18:52:42.267-0700    INFO    instance/beat.go:648    Beat ID: 6d3822d8-a900-4c46-b040-ae41659b2745
2020-09-11T18:52:42.284-0700    INFO    [index-management]      idxmgmt/std.go:184      Set output.elasticsearch.index to 'winlogbeat-7.9.2' as ILM is enabled.
2020-09-11T18:52:42.317-0700    INFO    eslegclient/connection.go:99    elasticsearch url: https://10.0.0.1:9200
elasticsearch: https://10.0.0.1:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 192.12020-09-11T18:52:42.332-0700        INFO    [add_cloud_metadata]    add_cloud_metadata/add_cloud_metadata.go:89             add_cloud_metadata: hosting provider type not detected.
68.0.4
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
2020-09-11T18:52:42.450-0700    INFO    [esclientleg]   eslegclient/connection.go:314   Attempting to connect to Elasticsearch version 7.9.0
2020-09-11T18:52:42.489-0700    INFO    [license]       licenser/es_callback.go:51      Elasticsearch license: Basic
  talk to server... OK
  version: 7.9.2

Next up, we install the Winlogbeat service.

PS C:\winlogbeat-7.9.2> .\install-service-winlogbeat.ps1

Status   Name               DisplayName
------   ----               -----------
Stopped  winlogbeat         winlogbeat

Above we see the service was installed but its status says "Stopped". Let's start that service and verify it is running.

PS C:\winlogbeat-7.9.2> Start-Service winlogbeat
PS C:\winlogbeat-7.9.2> Get-Service winlogbeat

Status   Name               DisplayName
------   ----               -----------
Running  winlogbeat         winlogbeat

Looks good. Let's now switch back to the Kibana UI and verify that data is coming in.


Nice, we have data coming in.

Looking at the Security app.



All looks good.

Well that's it for this series. As a recap. In this eight part series, we installed, configured and provided basic security to Elasticsearch, Kibana, Metricbeat, Auditbeat, Filebeat, Packetbeat and Winlogbeat.


Posts in this series:

Security On The Cheap - Beginning Elastic Stack - Installing Elastic 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Installing Kibana 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic Stack - Providing Basic Security to Elastic and Kibana 7.9 communication on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Metricbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Auditbeat - Elastic Stack 7.9 on Ubuntu 20.04
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Filebeat - Elastic Stack 7.9 on Ubuntu 20.04
Beginning Elastic - Installing, Configuring and Providing Basic Security to Packetbeat
Security On The Cheap - Beginning Elastic - Installing and Providing Basic Security to Winlogbeat

References:

https://www.elastic.co/downloads/beats/winlogbeat
https://www.howtogeek.com/670314/how-to-zip-and-unzip-files-using-powershell/

2 comments:

  1. Great blog! Thank you for putting your effort on it..
    I have a question about winlogbeat..I can also collect windows event logs with filebeat, right? so what makes winlogbeat preferrable compared to filebeat? Can you please clarify it? Thank you..

    ReplyDelete
    Replies
    1. Hello Sema,
      Sorry about the late reply. These days I use the Elastic Agent with the Windows integration. I'm not sure about collecting Windows logs with Filebeat. I do not see Windows as one of the options when I run "securitynik@securitynik:~$ sudo filebeat modules list | grep windows".

      Hope this helps

      Delete