Skip to content
Roberto Rodriguez edited this page May 3, 2018 · 5 revisions

Design

Visualize your logs

Discover

Make sure you have logs being sent to your HELK first (At least Windows security and Sysmon events). Then, go to http://<HELK's IP> in your preferred browser. If you dont have logs being sent to your HELK pipe (Kafka) or just starting to get processed by Kafka and Logstash, you might get the message " No matching indices found: No indices match pattern "logs-endpoint-winevent-sysmon-*"**

That is normal at the beginning. Refresh your screen a couple of times in order to start visualizing your logs.

Currently, HELK creates automatically 7 index patterns for you and sets logs-endpoint-winevent-sysmon-* as your default one:

  • "logs-*"
  • "logs-endpoint-winevent-sysmon-*"
  • "logs-endpoint-winevent-security-*"
  • "logs-endpoint-winevent-application-*"
  • "logs-endpoint-winevent-system-*"
  • "logs-endpoint-winevent-powershell-*"
  • "logs-endpoint-winevent-wmiactivity-*"

Dashboards

Currently, the HELK comes with 3 dashboards:

Global_Dashboard

Network_Dashboard

Sysmon_Dashboard

Monitoring Views (x-Pack Basic Free License)

Kibana Initial Overview

Elasticsearch Overview

Logstash Overview

You can’t perform that action at this time.