normalize winlogbeats with fluent bit winlog/winevtlog

idaholab / Malcolm

Malcolm is a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files), Zeek logs and Suricata alerts.

https://idaholab.github.io/Malcolm/

Other

362 stars 59 forks source link

normalize winlogbeats with fluent bit winlog/winevtlog #604

Closed mmguero closed 2 weeks ago

mmguero commented 2 weeks ago

The documentation describes setting up Beats to forward to Malcolm.

We need to do the following:

verify the documentation that it's (still?) correct and accurate
For winlogbeat specifically, we should look into normalizing its output so that the windows even logs from fluent bit's winlog and winevtlog, the EVTX files uploaded and parsed and what winlogbeats puts out so it's all apples and apples as much as possible (and the dashboards work pretty much the same for all three).

mmguero commented 2 weeks ago

Kamino closed and cloned this issue to cisagov/Malcolm