Logging Made Easy (LME)
Logging Made Easy (LME) is CISA’s reimagined version of an internationally well-known log management toolset, which offers a reliable, no-cost centralized log management solution.
LME Configuration
Full LME Documentation can be found at CISA LME Documentation
PBR is utilizing LME to centralize the logs from all windows based devices (Servers & Workstations) to a single server where detailed analysis can be undertaken through the use of dashboards and summarized data
-
LME ELK Server - LME-PBR-KL1
- This server is used for storing and analyzing the collected logs
- O/S - Ubuntu
-
LME Event logging Server - PRTG-PBR-KL1
- This server collects and forwards the logs from the client computers to the ELK server
- O/S - Windows 10
-
LME Clients
- All devices that are configured for monitoring
- O/S - Windows devices
There are 2 Group Policy Objects (GPO's)
LME-WEC-Client - This GPO forwards event logs from the client computer to the Event Logging Server
This GPO is linked to the OU Laptops & Desktops. Devices in these OU's will have their events forwarded to the event logging server
LME-WEC-Server - This GPO enables the Windows Remote Management Service (WinRM) to automatically listen on the network for requests on port 5985 from IP address range 192.168.134.1 - 192.168.134.254
This GPO is linked to the OU LME, which is located under PBR\Computers\Servers. The only computer in this OU is the LME Server
On the Event Logging Server (prtg-pbr-kl1) you can view the number of connect devices (computers that are having events forwarded to the Event Logging Server) by going to Event Viewer, and selecting subscriptions
All collected logs from the client computers are located in the Forwarded Events section listed under Windows Logs in the event viewer on prtg-pbr-kl1
Current log size on prtg-pbr-kl1 is 10GB
Full LME Documentation can be found at CISA LME Documentation
Still to be documented
Are we adding the servers? Can we collect ubuntu logs?
Sysmon purpose & config
Dashboards & reporting
Updating ELK Stack for LME
Updating ELK Stack for LME
If you find you need to update the ELK (Elastic, Logstash, Kibana) Stack for LME you have come to the right place.
At time of writing had just update to 8.15.0 due to Critical Vulnerability with Kibana.. Important point to note, for this all to hang together all 3 components of the ELK stack need to be on the same version
Step 1 Identify Current Version You Are Running
sudo docker ps
Step 1A Download the New Docker Images
TBH not sure if this step is required, but this is what I did and it worked, so thought I'd document it
you need to download the 3 images
before you start view the images currently on the system with command
sudo docker image ls
To pull images from the repos, you can run the following commands.
Make sure to update the version you require - check Elastic documentation for possible issues first.
sudo docker pull docker.elastic.co/elasticsearch/elasticsearch:8.15.0 
sudo docker pull docker.elastic.co/kibana/kibana:8.15.0 
sudo docker pull docker.elastic.co/logstash/logstash:8.15.0
Now if you enter the command sudo docker image ls you should see the new images you have acquired listed
Step 2 Edit the Docker Compose file and Pull the Images
Edit the docker compose file, in the case of LME, it can be found at /opt/lme/Chapter 3 Files/docker-compose-stack-live.yml
Copy of this file is attached to this article and can be accessed here docker-compose-stack.yml
You need to edit the 3 lines that specify the new image you want to use (in this example these are the images before I changed them to be 8.15.0)
the image name needs to be the same name as the image you have downloaded in previous step
once updated and saved run the following command
sudo docker compose -f /opt/lme/Chapter\ 3\ Files/docker-compose-stack-live.yml pull
Step 3 Update the Docker Service with the New Images
sudo docker service ls - will display the services and importantly names & versions running in docker
sudo docker service update --image docker.elastic.co/elasticsearch/elasticsearch:8.15.0 lme_elasticsearch
where docker.elastic.co/elasticsearch/elasticsearch:8.15.0 is the new image and lme_elasticsearch is the service name
you need to do this for all 3 services
- lme_elasticsearch
-
sudo docker service update --image docker.elastic.co/elasticsearch/elasticsearch:8.15.0 lme_elasticsearch
-
- lme_kibana
-
sudo docker service update --image docker.elastic.co/kibana/kibana:8.15.0 lme_kibana
-
- lme_logstash
-
sudo docker service update --image docker.elastic.co/logstash/logstash:8.15.0 lme_logstash
-
Now check its all updated and on the correct version with sudo docker ps
