LogonTracer v1.5 Released - JPCERT/CC Eyes | JPCERT Coordination Center official Blog

JPCERT/CC has released LogonTracer v1.5, the latest version of the event log analysis tool. While this tool was initially focused on post-incident investigation, we have received many requests for updates for the purpose of real-time log analysis. This time, we made some updates to enable such functions.
This article will introduce the details of the update. Further information can be found at the following page:

https://github.com/JPCERTCC/LogonTracer/releases/tag/v1.5.0

Support for Elasticsearch

LogonTracer can perform real-time log analysis by linking it with Elasticsearch. Figure 1 describes the image of the system linkage. By default, LogonTracer imports event logs sent to Elasticsearch from Winlogbeat.

Figure 1: Linkage of LogonTracer and Elasticsearch

LogonTracer imports and analyses logs from Elasticsearch and saves the results on Elasticsearch. While the event log visualisation is only available on LogonTracer, the ranking of suspicious accounts and summary of log analysis results are also accessible on Elasticsearch and Kibana. Figure 2 shows the analysis results displayed on Kibana. By using Kibana Watcher to set up alerts for suspicious logs reported from LogonTracer, it supports real-time anomaly detection.

Figure 2: LogonTracer's analysis results displayed on Kibana

Importing logs from Elasticsearch

You can use Web GUI to import logs on LogonTracer from Elasticsearch. If you click “Load from ES” (left in Figure 3), a window for import setting will appear (right).

Figure 3: Setting to import logs from Elasticsearch

Detailed settings (e.g. index name) for importing can be made by command lines. Please see LogonTracer Wiki for details.

https://github.com/JPCERTCC/LogonTracer/wiki

Remarks on log import on LogonTracer

One of the key analysis functions that LogonTracer offers is visualisation, which gives a great assistance in log analysis. However, an extensive volume of logs can cause delays in generating images and also complicate the graphs. This is a common challenge for any other visualisation tools that handle a large amount of information.
Therefore, we do not recommend importing long-term logs (such as a month or a year) in order to maintain the speed of LogonTracer's visualisation function. It is recommended to import logs at intervals of a week or even a day for more effective analysis. (Appropriate log duration varies depending on the number of hosts and users.)
In order to use LogonTracer for AD event log monitoring purposes, import and analyse event logs periodically by using cron etc., and store the results in Elasticsearch. This enables monitoring LogonTracer's analysis results on Kibana. If any suspicious logs are found, you can conduct further investigation efficiently on LogonTracer by importing logs retained during the specific period and perform visualization.

In closing

We have added real-time log analysis function to LogonTracer based on feedback from users. We will continue to update the tool and welcome Pull Requests.

Shusei Tomonaga
(Translated by Yukako Uchida)

朝長秀誠 (Shusei Tomonaga)

Since December 2012, he has been engaged in malware analysis and forensics investigation, and is especially involved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security monitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV, BlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.