Skip to content

Latest commit

 

History

History
36 lines (22 loc) · 2.19 KB

README.md

File metadata and controls

36 lines (22 loc) · 2.19 KB

elk-siem

ElasticSearch Logstash Kibana Docker Windows

This project is a simple ELK stack-based SIEM (Security Information and Event Management) system for Windows endpoints. It is designed to collect, parse, and visualize Windows endpoint logs in a centralized manner by utilizing Sysmon and Winlogbeat.

Preview

Architecture

The overall architecture is based on the ELK stack, which consists of Elasticsearch, Logstash, and Kibana. It uses Beats as a data shipper to collect logs from several endpoints. In this case, Winlogbeat is used to collect Windows event logs.

On Linux, you can use Filebeat or Metricbeat to collect logs and metrics from the operating system and services. For MacOS, Auditbeat is available to collect audit events.

Architecture

  • Via Winlogbeat, relay gathers activity information from sysmon on the Windows endpoint to Logstash on ELK server.
  • Logstash reads, parses, transforms, and relays the data to Elasticsearch.
  • Kibana searches and visualizes the information from Elasticsearch.

Getting Started

This project is designed to be used with Docker. To get started, clone this repository and follow the instructions in the installation guide.

License

This project is licensed under the MIT License - see the LICENSE file for details.

Inspired from