Logging Made Easy v0.3 releases: gain a basic level of centralised security logging for Windows clients

What is Logging Made Easy (LME)?

Logging Made Easy is a self-install tutorial for small organizations to gain a basic level of centralized security logging for Windows clients and provide the functionality to detect attacks. It’s the coming together of multiple free and open-source software, where LME helps the reader integrate them together to produce an end-to-end logging capability. We also provide some pre-made configuration files and scripts, although there is the option to do it on your own.

Logging Made Easy can:

• Tell you about software patch levels on enrolled devices
• Show where administrative commands are being run on enrolled devices
• See who is using which machine
• In conjunction with threat reports, it is possible to query for the presence of an attacker in the form of Tools, Techniques, and Procedures (TTPs)

Who is Logging Made Easy for?

From one man bands with handful devices to look after, through to organizations with approximately 250 devices.

LME is for you if:

• You don’t have a SOC, SIEM or any monitoring in place at the moment
• You lack the budget, time or understanding to set up your own logging system
• You recognize the need to begin gathering logs and monitoring your IT.
• You understand the LME has limitations and is better than nothing – but no match for a professional tool.

If any, or all, of these criteria fit, then LME is a step in the right direction for you

LME could also be useful for:

• Small isolated networks where corporate monitoring doesn’t reach

Changelog v0.3

* Updating winlogbeat to support the Elastic Common Schema

* updating documentation for new winlogbeat files

* Update to ES 7.8

* Updating deployment questions to make them more clear

* Providing instructions to update winlogbeat

* Adding syslog support

* Adding directory creation command

* Removing reporting settings as this is currently broken, Fixed in the unreleased 7.8.1
elastic/kibana#69621

* The module files are now actually shipped with ES 7.8.0 so not including them in the git, Removing the version named directory for install as this would break updates.

* Removing module files that are no longer needed

* changing install script to reflect the fact that network and hashing is now suitable in our recommended sysmon config

* Updating winlogbeat to support ECS with forwarded events, Fixes the multi script issues

* Updating logstash config to support syslog via pipelines

* Adding pipeline upgrade paths and updating documentation

* Updating Documentation and screenshots for v0.3

* Adding more screenshots of v0.3

* Adding kibana saved objects encryption key settings

* Correcting variable name

* adding screenshots for siem activation

* Updating siem instructions and adding more screenshots

* Removing NGINX mention as this was removed in v0.2

Install && Use

Copyright 2018-2019 Crown Copyright