I chose to use an ELK stack for ease of use (lol). In actuality ELK is free and has a lot of configurations available. I don’t love it and would rather use Splunk or something else – but it is good practice and it works fine. I might build something like Security Onion on top of it in the future – TBD.
First I built a ubuntu VM on my ESXi stack. Nothing exciting or special configs there – just a basic VM with basic network on my lab network.
I followed this build to use the Docker version of ELK. This allows me to nuke and pave quickly using docker compose and to not have to tinker around with the yml config files: https://github.com/deviantony/docker-elk
Then I installed winlogbeat and sysmon using the Swift on Security config file (https://github.com/SwiftOnSecurity/sysmon-config). Winlogbeat following the basic instructions from the elastic site allows me to ship windows event logs to the ELK stack with ease. As soon as winlogbeats checks in with the ELK service, it adds the dataview to the ‘discover’ page on the ELK stack
And that is it! In the future I’ll be setting up some basic dashboards and setting up packetbeats to do some packet capture analysis.
Josh's Cybersecurity Blog 