Skip to content
Switch branches/tags

Latest commit

Update to the latest version of Elastic - 7.13.4 - with the following changes:

* Updated mapping files to the latest ECS version
* Updated the relevant Winlogbeat install instructions to point to 7.13.4
* Update the Docker stack versions to 7.13.4
* Modified xcopy usage in the sysmon update batch script to copy, to resolve an issue with UNC paths in certain xcopy versions
* Updated the Winlogbeat ingest pipeline to enrich logs with the event.ingested timestamp
* Added instructions for modifying string values in IP address fields using the update_by_query method when this is preventing re-indexing from prior versions of LME.
* Updated troubleshooting instructions to include instructions for solving dashboard update failures which may occur if the Elastic version in use is older than the minimum required for the current dashboards
* Removed the automatic dashboard update step as part of the "upgrade" method and split this out into a seperate manual call to the dashboard update script, which can be run after upgrading and updating, and updated the documentation with the corresponding instructions
* Moved the creation of the automatic dashboard update and lme update scripts into the "write config" method, so that even users with automatic updates disabled can make use of these scripts manually
* Modularised the prompt to enable automatic updates in the deploy script for code neatness, and stacked the prompts so you cannot enable automatic dashboard updates without enabling automatic LME updates (to prevent users from being pushed dashboards for newer versions of Elastic than they are currently using)
* Added additional instructions to the Chapter 4 documentation to walk people through adding rule exceptions for the LME sysmon update task

Git stats


Failed to load latest commit information.
Latest commit message
Commit time


Logging Made Easy

Copyright 2018-2021 Crown Copyright

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

What is Logging Made Easy (LME)?

Logging Made Easy is a self-install tutorial for small organisations to gain a basic level of centralised security logging for Windows clients and provide functionality to detect attacks. It's the coming together of multiple free and open-source software (some which is covered under licences other than Apache V2), where LME helps the reader integrate them together to produce an end-to-end logging capability. We also provide some pre-made configuration files and scripts, although there is the option to do it on your own.

Logging Made Easy can:

  • Tell you about software patch levels on enrolled devices
  • Show where administrative commands are being run on enrolled devices
  • See who is using which machine
  • In conjunction with threat reports, it is possible to query for the presence of an attacker in the form of Tools, Techniques and Procedures (TTPs)


LME is currently still early in development, and as such we are marking it as Alpha. The current release is version 0.4.

If you have an existing install of the LME Alpha (v0.3 or older) some manual intervention will be required in order to upgrade to the latest version, please see Upgrading for further information.

This is not a professional tool, and should not be used as a SIEM.

LME is a 'homebrew' way of gathering logs and querying for attacks.

We have done the hard work to make things simple. We will tell you what to download, which configurations to use and have created convenience scripts to auto-configure wherever possible.

The current architecture is based upon Windows Clients, Microsoft Sysmon, Windows Event Forwarding and the ELK stack.

We are not able to comment on or troubleshoot individual installations. If you believe you have have found an issue with the LME code or documentation please submit a GitHub issue.

Who is Logging Made Easy for?

From single IT administrators with a handful devices to look after, through to larger organisations.

LME is for you if:

  • You don’t have a SOC, SIEM or any monitoring in place at the moment.
  • You lack the budget, time or understanding to set up your own logging system.
  • You recognise the need to begin gathering logs and monitoring your IT.
  • You understand that LME has limitations, and is better than nothing - but no match for a professional tool.

If any, or all, of these criteria fit, then LME is a step in the right direction for you.

LME could also be useful for:

  • Small isolated networks where corporate monitoring doesn’t reach.

Who is the NCSC and why did they create LME?

The National Cyber Security Centre (NCSC) is a UK Government department with the mission of:

"Helping to make the UK the safest place to live and work online."

...more can be found on

We recognise the importance of gathering the right logs for security monitoring and post incident purposes, but we also recognise the pressures that face organisations. Budgets, deadlines and expertise. By producing LME we are attempting to reduce the barrier to entry for small organisations who don’t know where to start. LME may not be a fully-featured professional offering, but a step in the right direction that will make a difference in a cyber incident scenario.

Although in it’s infancy, we are hoping that LME will help organisations to make themselves more secure now and encourage better security monitoring in the future.

Table of contents

Prerequisites - Start deployment here

Chapter 1 - Set up Windows Event Forwarding

Chapter 2 – Sysmon Install

Chapter 3 – Database Install

Chapter 4 - Post Install Actions






Core Team

  • Richard W, NCSC Project Lead.
  • Adam B, NCSC Technical Lead.
  • Martin W, NCSC Technical support / Customer Liaison.
  • Jordan C, NCSC Visual Support.
  • Michael H, NCSC Business Analyst.
  • Rob B, NCSC Project Manager.
  • Shane M, Previous NCSC Technical Lead.
  • Lucy A, David L and Oli T, Cabinet Office Government Security Group, funding and project management.
  • Duncan A, NCC Group, Lead Developer.
  • Adam B, NCC Group, Developer.
  • Harry G and Alfie T, NCSC, creating visualisations.

Our development partners

These organisations spent time trialing earlier versions of LME which was critical to development and publication.

The Community

Technology Used