Setting Up Log Service to Analyze Windows Event Logs

Solution Design and Implementation

There are many enterprises who use Windows systems as the majority of the on-premises or cloud infrastructure. However, with the growing number of the hosts and configurations, it becomes very difficult for the IT administrator to manage such a large scale of asset as a part of their daily tasks.

Installing the Winlogbeat and Logtail Agent Locally on the AD Server

Download and install Winlogbeat, check the service is up and running as following,

- name: Security
ignore_older: 168h
hosts: ["elasticsearch.elastic.local:9200"] "winlogbeat"
template.path: "winlogbeat.template.json"
template.overwrite: false

Configuring Logtail and Logstore

Set up logstore and Logtail in Alibaba Cloud console in order to receive the log from Logtail, which is installed on the AD. The details of the configurations can be found in the following page:

Log Analysis Cases by Using SQL Scripts

Based on the logs collected from the AD, you can implement metrics based on your business concern by using SQL scripts. Following are the examples in the demo.

Logon Failure Statistics

* and event_id: 4625 and event_data.TargetDomainName: LOGSRCHDEMO

Logon Attempt against Disabled Account

* and event_id: 4625 and event_data.TargetDomainName: LOGSRCHDEMO and event_data.SubStatus: 0xc0000072

User Added to Admin Group

* and event_id: 4732 | select date_format(date_trunc('minute', __time__), '%m-%d %H:%i')  as time, count(1) as event_count group by time order by time limit 1000

Consecutive Logon Failures

(event_id: 4625 or event_id: 4624)   | select  date_trunc('minute' ,__time__) as time, computer_name to_system, "event_data.TargetUserName" failed_user, count(*) NoOfFailures from (select __time__, computer_name, "event_data.TargetUserName", "event_data.TargetDomainName" TargetDomainName_prev, event_id, lag(event_id, 1, '4624') over(PARTITION BY  computer_name, "event_data.TargetUserName" order by __time__,record_number   ) as pre_event_id from log   limit 10000)  where event_id='4625' and pre_event_id='4625' and TargetDomainName_prev= 'LOGSRCHDEMO' and computer_name is not null group by date_trunc('minute' ,__time__) , computer_name, "event_data.TargetUserName"

Create Custom Tables and Use Custom OSS Backed Tables in Dashboards

* | create table spk_demo_assets ( computer_name varchar,severity varchar,  owner varchar) with ( bucket='spk-logsrchdemo',endpoint='',accessid='LTAIH005FxpyZpRg',accesskey ='XL6otNimuROIJKQvcrT5RgLjWDg33R',objects=ARRAY['high_value_assets_unix.csv'],type='oss')

Consecutive Logon Failure against High Value Assets

(event_id: 4625  or event_id: 4624)   | select date_format(date_trunc('minute', __time__), '%m-%d %H:%i') as time, computer_name, severity AssetValue, user, count(1) as consecutive_failures from (select l.__time__, l.computer_name, l."event_data.TargetUserName" as user, l.event_id, "event_data.TargetDomainName" TargetDomainName, lag(l.event_id, 1, '4624') over(PARTITION BY  l.computer_name, l."event_data.TargetUserName" order by l.__time__,l.record_number   ) as pre_event_id, r.severity  from log  l left join spk_demo_assets r on l.computer_name = r.computer_name  limit 10000)  where event_id='4625' and pre_event_id='4625' and severity='high' and TargetDomainName = 'LOGSRCHDEMO'  group by date_format(date_trunc('minute', __time__), '%m-%d %H:%i') , computer_name, severity, user order by time desc limit 100

Data Presentation on Dashboard

The following are the dashboards defined in the Log Service console for the same SQL analytics cases, which will presents the statistics in different charts, table and graphs.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website: