So you want to do some logging. . . (PT. 5 Windows File Share Logs)
Creating a New Index
Before moving forward we will want to create a new index in Graylog. Logs from file servers can be very chatty and you may want to change retention based on storage needs.
To make a new index set, use the top menu and select System > Indices.
Then select Create index set.
We will only need to worry about Title and Index prefix fields along with rotation strategy.
We want to keep our file access logs for 30 days.
To do this, we will use a rotation strategy of Index Time with a duration of P1D. We want to set the retention strategy to Delete Index and set the max number of indices to 30.
These setting will create a new index every day and delete the oldest index when index 31 is created
Enabling File Auditing in the OS
Before adding any auditing rules to our files we will need to enable Audit Object Access. This can be done from Group Policy centrally or Local Security policy locally.
To start we will want to edit the Security Policy. Browse to Security Settings > Local Polices > Audit Policies. From there enable Audit Object Access on both Success and Failure.
Enabling Auditing on our Files
Now we need to enable auditing on files and folders.
To do this, log into any system hosting files whose access you would like to audit. Find the directory you would like to audit, right click and select properties, then browse to the security tab. Select advanced and then view the Auditing tab.
Add a new auditing entry. This entry will have a principle of everyone, audit on all actions, and apply to this folder, subfolders, and files. We will also want to audit all actions so selection Full Control.
If successful the Auditing tab will now appear as with a new entry for everyone.
Validating we have logs
Before we install the Graylog Sidecar lets validate our audit rules work.
If we open Even Viewer > Windows Logs > Security we can now see users accessing various files.
Windows Graylog Sidecar Install
Because we are using Graylog 5.2.2 we can use the Graylog Sidecar 1.5.0 code. It can be downloaded HERE.
Using the API key we generated in part 4, install the Graylog collector and point it at our Graylog instance.
Make sure you point the system at your Graylog instance using a https://FQDN/api.
And let it install and validate it is showing up in Graylog.
Validate your see data being ingested. Save this message ID and the index it is stored in.
With data flowing in, lets create a new data stream to send this new data to the proper index.
Creating a New Data Stream
Start by going to Streams in the top menu
Enter the streams configuration
Create a new stream named File Audit Logs and make sure to route the messages to the File Audit Access index set and remove the messages from the default stream.
Name the stream, set the index set it will send data to, and remove the data from the default stream
The newly created stream needs rules configured to send data to it. To do this select More > Manage Rules.
Taking the Message ID and Index we saved earlier, load a the message to test against. Search for the field winlogbeat_winlog_task and make a rule matching the field name File System.
Test the stream rule against the message we selected and make sure the rule matches.
To prevent copies of messages being made in secondary and tertiary indexes, it is best practice to ensure that we update older rules to remove File Systems Logs from their streams.
During the next part of the series we will be looking into importing IIS logs.