LME architecture question #17
-
|
Question that came from the larger community that we are sharing here: We are reviewing the LME solution and I have a follow up question about the architecture. The documentation (figure 1) shows clients shipping Win Events to a WEC via Sysmon, these logs are then shipped to the ELK stack from the WEC via Winlogbeats. This configuration seems more complex than necessary, since the deployment of the ELK stack via Docker allows for the use of Winlogbeats from the WEC, why not remove the Sysmon/WEC from the equation and deploy Winlogbeat to each client and ship directly to ELK? Is the main objective to remove the need to deploy an agent on each system? Figure 1:
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
|
Thank you for your question. We investigated using the architecture you suggested. However, deploying Winlogbeat to every client and asking each one to forward the logs directly to the ELK server presents a security vulnerability. Currently (due to backwards compatibility and time constraints) there is only a single certificate generated on LME for the clients. Because of this, the clients all have both the public and private key of the certificate to authenticate. Although this doesn't cause an external vulnerability, an inside threat could inject false logs that could harm the integrity of the logging system. We do plan on researching other ways to simplify the architecture in future releases, while ensuring we are not introducing security issues. If you plan to install and use LME, we would love your feedback. Please keep in touch and let us know of any other thoughts you have on it, especially regarding the overall user experience. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
I do have a question regarding the ELK server does this essentially act as a Fleet server mentioned by elastic or is the ELK server not compatible with any Elastic Agent related "addons" that can be found when looking for additional logging/alert measures. I also am wondering how well does the LME service interact with Elastic, because yes, I am obtaining sysmon logs from the WEC and other Clients through the WEC there are a lot of questions, I would like to formally have answered that just aren't explained in much documentation on this LME form. |
Beta Was this translation helpful? Give feedback.
-
|
The ELK server does not have the fleet capability and we can't use other Elastic integrations for Elastic Agents, but we hope that we can build that in some time in the future. If you have specific questions regarding how LME interacts with Elastic, please submit them and we will try to answer them. Please submit questions in a different discussion. Thank you. |
Beta Was this translation helpful? Give feedback.
Thank you for your question.
We investigated using the architecture you suggested. However, deploying Winlogbeat to every client and asking each one to forward the logs directly to the ELK server presents a security vulnerability.
Currently (due to backwards compatibility and time constraints) there is only a single certificate generated on LME for the clients. Because of this, the clients all have both the public and private key of the certificate to authenticate.
Although this doesn't cause an external vulnerability, an inside threat could inject false logs that could harm the integrity of the logging system.
We do plan on researching other ways to simplify the architecture in future re…