Using ELK? Show us yours if you can!

DHR

DHR

Soldato
Joined
30 Apr 2003
Posts
3,414
I'm interested in hearing peoples experiences of using ELK, particularly for monitoring things for compliance and whether there are any good pre-formatted "templates" out there for common functions and community databases of them? I've never touched it before!

I've been dumping things out to Graylog for a year now, it's been solid, search is good, but I put the dashboards in place based of community templates that are just no longer maintained, it feels a little dated now too, plus my head is so far out of that space now, it feels time for something fresh.

Something that is visually pleasing for management reporting could be a major advantage.

Predominantly I'm looking at:-
  • Cisco FTD/Firepower logs - Common things such as number of severity alerts, volume of traffic from IPs, popular ports etc. I know some of this can be retrieved from Firepower itself but I'm conscious we may be moving away from the platform so am wanting to take that into consideration.

  • Windows Logs - Security logs, locked out accounts, failed login attempts, created accounts, disabled accounts etc. The usual stuff.

  • Custom Logs - Consolidation of logs from various web based development platforms

  • Anything SIEM, would be a huge bonus!

Edit - I suspect this may have been better in the enterprise forums now? If it needs moving let me know!
 

img

img

Associate
Joined
23 Mar 2005
Posts
1,024
Had wazuh running and approved with pci for few years. Have made some custom bits with logstash for other things.
 

img

img

Associate
Joined
23 Mar 2005
Posts
1,024
Yes i have my stack and then its a server and agents for security logs. They have a dashboard in kibana. Worked OK for me as I have windows and Linux logs going there and then I also send all my logging for esxi and firewalls etc direct to logstash. Running near 90tb a year so not massive
 

DHR

DHR

Soldato
OP
Joined
30 Apr 2003
Posts
3,414
Yes i have my stack and then its a server and agents for security logs. They have a dashboard in kibana. Worked OK for me as I have windows and Linux logs going there and then I also send all my logging for esxi and firewalls etc direct to logstash. Running near 90tb a year so not massive

Is that retention :o

Are you running it cloud based or local? Toying with trying the elasti saas offering, really don't want costs running away though.
 

img

img

Associate
Joined
23 Mar 2005
Posts
1,024
that is the yearly total as i only need to keep 1 year. I run it locally across virtual instances between 2 sites. Honestly i would rather have it run by someone else if i had the budget.
 

DHR

DHR

Soldato
OP
Joined
30 Apr 2003
Posts
3,414
:D ...and you've pre-empted my next question!

Have you made your own dashboards or are you using pre-built ones?
 

img

img

Associate
Joined
23 Mar 2005
Posts
1,024
Well wazuh has them with it and then I have some built for what was needed. Compared to what I see online they are pretty basic.

I did loop out with lumberjack the start and end of jobs I have to time them for some apps so you can expand. I would like the machine learning bit if I paid
 
Back
Top Bottom