This project is a simple ELK stack-based SIEM (Security Information and Event Management) system for Windows endpoints. It is designed to collect, parse, and visualize Windows endpoint logs in a centralized manner by utilizing Sysmon and Winlogbeat.
The overall architecture is based on the ELK stack, which consists of Elasticsearch, Logstash, and Kibana. It uses Beats as a data shipper to collect logs from several endpoints. In this case, Winlogbeat is used to collect Windows event logs.
On Linux, you can use Filebeat or Metricbeat to collect logs and metrics from the operating system and services. For MacOS, Auditbeat is available to collect audit events.
- Via Winlogbeat, relay gathers activity information from sysmon on the Windows endpoint to Logstash on ELK server.
- Logstash reads, parses, transforms, and relays the data to Elasticsearch.
- Kibana searches and visualizes the information from Elasticsearch.
This project is designed to be used with Docker. To get started, clone this repository and follow the instructions in the installation guide.
This project is licensed under the MIT License - see the LICENSE file for details.