Jump start with Docker - JPCERTCC/SysmonSearch GitHub Wiki

Precondition

The following settings are assumed to build on Linux (Ubuntu).

How to Install

  1. Clone SysmonSearch git repository
$ git clone https://github.com/JPCERTCC/SysmonSearch-Private.git
  1. Move to docker directory
$ cd SysmonSearch/docker/
  1. Specify proxy server, if needed:
$ vi docker-compose.yml

modify the line as follows:

# 26, 38 lines
        args:
          - http_proxy=[proxy_server_URL]
          - https_proxy=[proxy_server_URL]
  1. Set Virtual Memory on host device:
$ sysctl -w vm.max_map_count=262144
  1. Run the setup.sh
$ chmod +x setup.sh
$ ./setup.sh
  1. Build an image
$ docker-compose build

It may take upto 20 minutes to finish.

How to Start Container

$ docker-compose up -d

Kibana plugin is compiled only at the first startup. Therefore, you can not access Kibana until compiletion is finished.

Set scheduled tasks

Add following to your crontab:

0,30 * * * * docker exec -it docker_stixioc-import-server  sh -c "sh /root/script/exec_collection_statistical_data.sh"
0,30 * * * * docker exec -it docker_stixioc-import-server  sh -c "python /root/script/collection_alert_data.py"
0 1 * * * docker exec -it docker_stixioc-import-server  sh -c "DATE=`date -d \"-1 day\" \"+%Y.%m.%d\"`;sh /root/script/exec_collection_statistical_data.sh $DATE"

Loading the index template in Elasticsearch

Execute the following command to load the template

$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template1 -d@kibana/script/template1.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template2 -d@kibana/script/template2.json -H "Content-Type: application/json"
$ curl -XPUT http://[Elasticsearch IP address]:9200/_template/template3 -d@kibana/script/template3.json -H "Content-Type: application/json"

How to Stop Container

$ docker-compose stop

Accessing the Kibana

Access http://[Server IP address]:5601/ SysmonSearch search

Client Setup

Install Sysmon

Download URL (Sysmon)
Please reffer to the instruction on the Sysmon web site, and install it.

Install Winlogbeat

Download URL(Winlogbeat)
Please check the Winlogbeat web site and install Winlogbeat.

Winlogbeat configuration

Specify Elasticsearch IP address:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["Elasticserach IP address:9200"]

Sysmon's event logs to monitor:

winlogbeat.event_logs:
  - name: "Microsoft-Windows-Sysmon/Operational"
    ignore_older: 72h

Disable automatic template loading:

setup.template.enabled: false

Change the index name:

output.elasticsearch.index: "winlogbeat-%{+yyyy.MM.dd}"