Open source
By utilizing completely free community driven Open source software you can organize all your logs.
I can highly recommend Graylog running as a Dockerized container on Ubuntu.
Follow this guide by Lawrence systems -and you’ll be up and running syslogging in no time.
Logs from Windows
This is great for all network units with native syslogging support. With Graylog you organize your data and configure email alerts etc.
We can also send Windows Event Logs to Graylog. For this we can use the NXlog agent (free) and in combination with Sysmon from Sysinternals and a customized Pre-Grenerated configurations XML script we get all the logs we need from Windows.
Lawrence systems has been so kind and even made a nice video about this here
MITRE ATT&CK is a great site with a lot of security info for deep divers. As an example it will show details of how to interpret a code in your log with ID like T1033. With these ID’s you can filter your logs in Graylog to get notified if a certain command is run on your systems! -like if a hacker ran the command whoami or net use or similar.
Of course there are many alternatives when it comes to logging, I had a look at Splunk in an earlier bloggpost – However I find Graylog very neat, relatively simple and useful. It gets the job done for sure.
The biggest challenges in all kinds of logging is the sheer amount of data, thus the gather/policy/audit process and filtering this is the most essential.
