This tool automatically deploys and configures the ELK stack to analyze and visualize Sysmon logs. Using an Ansible script, Sysmon and Winlogbeat will be installed on the windows hosts specified by the user in windows_hosts.txt. This will be based on the tool ossecKibanaElkonWindows-475-2161_bornholm from the ForensicTools Github.
- A CentOS 7 (server) a) With Ansible installed
- At least one Windows 10 host (client)
- git clone https://github.com/ForensicTools/Sysmon_w_ELK-CSEC475-2171-Cosmadelis
- cd Sysmon_w_ELK-CSEC475-2171-Cosmadelis
- ./elasticinstall.sh
- Download the repository to a Windows host
- cd Sysmon_w_ELK-CSEC475-2171-Cosmadelis
- Edit the windows_hosts.txt
- Set ansible_user and ansible_password in group_vars/windows
- .\winrm_init.ps1
- Change “localhost” to the IP of the server win conf/winbeat/winlogbeat.yml
- Set up windows_hosts.txt to IP/Hostnames of
- Run Ansible scripts
- Configure windows_hosts.txt with a list of IP addresses or hostnames
- Run “ansible-playbook -i windows_hosts.txt deploy_agents.yml -u root”
- Go to https://localhost from the CentOS server to access kibana
For information on configuring visualizations and dashboards, see: https://cyberwardog.blogspot.com/2017/03/building-sysmon-dashboard-with-elk-stack.html