1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using ELK? Show us yours if you can!

Discussion in 'Linux & Open Source' started by DHR, 2 Apr 2020.

Tags:
  1. DHR

    Mobster

    Joined: 30 Apr 2003

    Posts: 3,185

    I'm interested in hearing peoples experiences of using ELK, particularly for monitoring things for compliance and whether there are any good pre-formatted "templates" out there for common functions and community databases of them? I've never touched it before!

    I've been dumping things out to Graylog for a year now, it's been solid, search is good, but I put the dashboards in place based of community templates that are just no longer maintained, it feels a little dated now too, plus my head is so far out of that space now, it feels time for something fresh.

    Something that is visually pleasing for management reporting could be a major advantage.

    Predominantly I'm looking at:-
    • Cisco FTD/Firepower logs - Common things such as number of severity alerts, volume of traffic from IPs, popular ports etc. I know some of this can be retrieved from Firepower itself but I'm conscious we may be moving away from the platform so am wanting to take that into consideration.

    • Windows Logs - Security logs, locked out accounts, failed login attempts, created accounts, disabled accounts etc. The usual stuff.

    • Custom Logs - Consolidation of logs from various web based development platforms

    • Anything SIEM, would be a huge bonus!

    Edit - I suspect this may have been better in the enterprise forums now? If it needs moving let me know!
     
  2. img

    Hitman

    Joined: 23 Mar 2005

    Posts: 633

    Had wazuh running and approved with pci for few years. Have made some custom bits with logstash for other things.
     
  3. DHR

    Mobster

    Joined: 30 Apr 2003

    Posts: 3,185

    Interesting not heard of that one!
     
  4. DHR

    Mobster

    Joined: 30 Apr 2003

    Posts: 3,185

    @img - Dp you use ELK with Wazuh? Heard of people running them together?
     
  5. img

    Hitman

    Joined: 23 Mar 2005

    Posts: 633

    Yes i have my stack and then its a server and agents for security logs. They have a dashboard in kibana. Worked OK for me as I have windows and Linux logs going there and then I also send all my logging for esxi and firewalls etc direct to logstash. Running near 90tb a year so not massive
     
  6. DHR

    Mobster

    Joined: 30 Apr 2003

    Posts: 3,185

    Is that retention :-o

    Are you running it cloud based or local? Toying with trying the elasti saas offering, really don't want costs running away though.
     
  7. img

    Hitman

    Joined: 23 Mar 2005

    Posts: 633

    that is the yearly total as i only need to keep 1 year. I run it locally across virtual instances between 2 sites. Honestly i would rather have it run by someone else if i had the budget.
     
  8. DHR

    Mobster

    Joined: 30 Apr 2003

    Posts: 3,185

    :D ...and you've pre-empted my next question!

    Have you made your own dashboards or are you using pre-built ones?
     
  9. img

    Hitman

    Joined: 23 Mar 2005

    Posts: 633

    Well wazuh has them with it and then I have some built for what was needed. Compared to what I see online they are pretty basic.

    I did loop out with lumberjack the start and end of jobs I have to time them for some apps so you can expand. I would like the machine learning bit if I paid
     
  10. Azza

    Caporegime

    Joined: 6 Dec 2005

    Posts: 35,768

    Location: Birmingham

    Is anyone using Heartbeat with Docker autodiscover config?
     
  11. ecksmen

    Wise Guy

    Joined: 25 Jun 2004

    Posts: 1,231

    Location: Cardiff

    Not sure its exactly what you're asking; but check out https://attack.mitre.org/ this is a solid framework and for each attack vector there's guides for detection; SIEM is part of the answer but you may need aditional tooling to perform the detection (ie FIM).