The essentials of central log collection with WEF and WEC

Last week we covered the essentials of event logging: Ensuring that all your systems are writing logs about the important events or activities occurring on them. This week we will cover the essentials of centrally collecting these Event Logs on a Window Event Collector (WEC) server, which then forwards all logs to Elastic Security.


The essentials of Windows event logging

One of the most prevalent log sources in many enterprises is Windows Event Logs. Being able to collect and process these logs has a huge impact on the effectiveness of any cybersecurity team. In this multi-part blog series, we will be looking at all things related to Windows Event Logs. We will begin our journey with audit policies and generating event logs, then move through collecting and analysing logs, and finally to building use cases such as detection rules, reports, and more.


We've added first-class Windows support to Grafana Agent

The Grafana Agent team is happy to announce that Grafana Agent 0.14.0-rc2 includes improved Windows support. Up until now, running Grafana Agent — our tool for gathering metrics, logs, and traces — in Windows was difficult and not well supported for Windows best practices. In short, it was not a good Windows citizen. In the new release candidate, we’re making changes to improve the experience, based on feedback from GitHub issues, customer contacts, and our own experience.

super monitoring

Top 10 Windows Time Trackers in 2021

Tracking your work hours has become more essential than ever due to increased remote working. Imagine a scenario where you have completed a lot of work and with much efficiency. However, you did not track the time. That would be a pain. But there’s help at hand as time tracking apps allow you to track your work hours. A reliable time tracking application helps you concentrate on your work. You do not have to rely on your memory or break your workflow, as the time tracking app will do it for you.


How attackers abuse Access Token Manipulation (ATT&CK T1134)

In our previous blog post on Windows access tokens for security practitioners, we covered: Having covered some of the key concepts in Windows security, we will now build on this knowledge and start to look at how attackers can abuse legitimate Windows functionality to move laterally and compromise Active Directory domains. This blog has deliberately attempted to abstract away the workings of specific Windows network authentication protocols (e.g., NTLM and Kerberos) where possible.

Monitoring critical windows services processes

Along with server performance metrics, such as CPU, disk, and memory usage, it is important to monitor the performance of each service and process running on the server to completely analyze the load on the system resources. This video shows how Site24x7 helps you achieve that. Say you're monitoring a Windows server with Site24x7. Along with tracking the performance metrics of the server, you can also track the performance of critical services like MySQL, Apache, and PostgreSQL, and processes like redis-server.exe.

Enhancing Event Log Analysis with EvtxEcmd using KAPE

How much time are you spending manually parsing and sorting event logs? With EvtxECmd, digital forensics professionals can optimize Windows event log analysis through its unique mapping feature. Created by Eric Zimmerman, EvtxECmd can be called via the EZParser module in KAPE (another tool created by Eric Zimmerman) to process thousands of events in seconds and create structured CSV files that are much easier to read and manipulate.

Resource check profile - Monitor Windows event logs and Linux syslogs

Track server resources such as Windows event logs and Linux syslogs to monitor specific events and strength your server's security. Internet-facing systems constantly confront the risk of security hacks and data theft. While you're monitoring key performance metrics of your servers, keeping an eye out for security incidents is also necessary. This can be achieved through event log monitoring for Windows servers, and syslog monitoring for Linux servers.