 Tom here from Lawrence Systems and Greylog is an amazing open source logging tool that I've talked a lot about. I've got a video link down below of how to set up Greylog. I think it's great, but then of course people, well, they use Windows a lot and they want to know how do I get my Windows logs into Greylog. The Syslog format is good for all the other devices and Greylog supports that, but we're going to be using the GELF format, the Greylog Extended Log format. Now, this is going to be combined with using Sysmon, Sysmon Modular to create enhanced Windows logs and then using NXlog to actually ship them over to Greylog. All the links and everything are posted down below for all the different tools that I'll be using. It's pretty simple and straightforward to set up. I have predefined configs. The only thing you have to do is put your Greylog IP address in. And as I said, if you haven't set up Greylog, you'll find a whole video on how to get going with Greylog down below. Now, full disclosure up front, this video is not sponsored by Greylog, but in the past as I've done videos, they've sent me shirts. And hey, folks at Greylog, if you like this video, give it a thumbs up and send me another shirt, because you got my address or actually really any Greylog swag. I'm a big fan of the product. Now that I've disclosed my business relationship with Greylog or lack thereof, other than the shirt thing, let's get started. Are you an individual or forward thinking company looking for expert assistance with network engineering, storage or virtualization projects? Perhaps you're an internal IT team seeking help to proactively manage, monitor, or secure your systems. We offer comprehensive consulting services tailored to meet your specific project needs. Whether you require fully managed or co-managed IT services, our experienced team is ready to step in and help. We specialize in supporting businesses that need IT administration or IT team seeking an extra layer of support to enhance their operations. To learn more about any of our services, head over to our website and fill out the higher us form at lorenzsystems.com. Let us start crafting the perfect IT solution for you. If you want to show some extra love for our channel, check out our swag store and affiliate links down below that will lead you to discounts and deals for products and services we've discussed on this channel. With the ad read out of the way, let's get you back to the content that you really came here for. Now the first step in this is going to be downloading Sysmon. This is part of the system internals. And Sysmon by itself doesn't completely set this up because it needs a config file to really take advantage of all the capabilities. And you could write this all yourself, but don't worry. There's plenty of templates out there that'll help you. And a template we're going to be using today is the Sysmon modular. This is over on GitHub. And there's a few variations here. You got the default and the default plus. We're actually going to use the default plus because it has a few extra features in there. But this is a rabbit hole. I'll leave you to go down. If you want to go through all the different options in here, including verbose and super verbose, these might be fun learning opportunities. If you are deep diving into all the internals of windows, I wanted to know all the logs that get created. But for sanity reasons, we're just going to use a default plus because that's a more common production version of it. I also like this because it will add midter attack techniques as part of the systems that run. We'll show that later in the video and eventually I will have some videos diving deeper into some of the midter attack and how this is used in SIM tools. But essentially what you're doing here is aligning when something runs, such as who am I, two different midter attack techniques. And that's in this default plus setup. Now to get the logs over to gray log, we need a tool called an X log and they have a free community edition. And you can just go here to an X log community edition, choose the windows and choose download. That's all we're doing. Nothing special we have to do here. I have a config file. So you don't have to mess with the config. We'll show how to apply that config, which I also uploaded to my GitHub. So you'd be able to download this yourself. Now, when you apply this config file, the only thing you're going to have to change is your gray log server IP address down here to bottom under host. So you just put the IP address of your gray log server by default. The port is that one two two oh one that is a default when you build gray log based on the Docker compose that I have. And if you've changed that or done something different with it, well, then you'll have to match that. But by default using my Docker config that's also in the same GitHub, this is the same default port that's used and created. And then in gray log, it's pretty simple to set up. You go into your gray log inputs, you want to choose gulf UDP launch new input, and it all defaults to the same ports, give it a title and follow my gray log video for more details and setting yourself. But this part's pretty easy. Now onto our windows config. I've already downloaded all these files that I mentioned right in here. And we're going to go ahead and open up an alibi the command prompt. Right here, we want to make sure we run this as administrator. So say yes, make sure we have permissions to install these. The first thing we want to do is set up sysmon. And we got to go into the downloads directory. So it's user, your username, and downloads. And we're going to run sysmon exe. We need to accept the end user license agreement and dash I sysmon config with file delete XML. This is that enhanced sysmon config, starting sysmon done. Now from here, we can actually open up event viewer. We can open up the applications and services, Microsoft windows, scroll all the way down, click on sysmon, click on operational. And this is where the enhanced logs will show up. Now this does not export them out. That's the next step. But this is where all those extra sysmon logs with all those details are in here. Now let's go and set up annex log to get them shipped over to gray log and click finish. And we're close that now next log needs to have the config file. This is where you can use the config file for my GitHub. We're going to run notepad. We're going to make sure we run it as administrator so it has permission to edit the file. We're going to go file open. You can specify the file right here and just hit open. It'll open the default config that was created for annex log. Now I'll do a quick select all delete the config and paste in my config for my GitHub, noting that you change the host. I have the IP address change to 192 1682.7 because that's my gray log server. We're going to go ahead and save this and close it. Then we're going to run services because we need to restart the annex log service so it recognizes the new config. There's annex log and we're just going to do a restart. All right, now let's see if the logs are showing up in gray log. We can see that the logs are flowing in here to gray log. Now as I mentioned beginning, you don't need an extractor for the gel format. It's already going to put all the data into the structured fields. So that allows us to easily build queries and statistics right off the different event types and all the information that's contained within these events. Now the next thing I want to talk about is the MITRE attack techniques. This is actually a really cool feature built into this particular Sysmon config. And to demonstrate this, we're going to run a command on our window system. We're going to run a who am I. This is a tool that an attacker might use that is built into windows because if they get a shell on the system, they want to know what user they are. So they might use something like who am I, they might use something like net use. And this will now flag the matching MITRE attack techniques that matched this. And if you're not familiar with MITRE, I'll leave a link to this. This is specifically IDT 1033. And this is a system owner user discovery technique. And they have a lot of descriptions in here. This is a way that security researchers use a common language. So we can say not did someone run who am I, but someone tried to do system owner user discovery techniques. And these techniques are all explained here. If you're into security, this is a great read to understand these techniques goes beyond the scope of this video. But let me show you how it maps inside of gray log. So in gray log, I'm going to put the rule name technique IDT 1033 matching that MITRE technique, we're going to put the full name in here. And then you can see clicking on this. This is that running of who am I, where they ran it from, the event time recording, all the other details around it, as well as the rule name right here, technique ID. Something you can do is go here, we're going to copy that, we're going to change it. So we're only looking for that technique ID. And you'll see each time technique ID came in. So if we scroll down to some of the other events, such as running net use, you'll see that is a different technique ID in there. This allows you to actually build queries. And this is running net exe. And this particular technique ID was T1018. So you can get the idea that you can start querying or build queries and statistics on when these are run or even build triggers, because these are anomalies you should be looking for on your system. And by having all of that MITRE data, along with all the other data from Windows, this gives you a really good base if you're trying to understand the security or what's going on or build those triggers, as I said, for things that are happening in Windows, you can look up the different MITRE techniques and start building this. And this is also really fun if you're diving into a cybersecurity career of just getting your hands really deep into how Windows does things and how you can trigger things in Windows. Matter of fact, this is a fun way to set up simulated attacks against yourself and understand how it maps techniques. Having all that in there, just to me a really cool feature. Leave your thoughts and comments down below. Love hearing from all of you. Like and subscribe. You want to see more content from this channel. Sign up for my newsletter if you want to keep up with what's going on with me and some of the videos and other friends videos that I post in my newsletter. And sign up for our forums, forums.laurancesystems.com, to have a more engaging discussion on this or other topics you've seen on the channel. And I'll see you around. Thanks.