CISA's Logging Made Easy has a self-install tutorial for organizations to gain a basic level of centralized security logging for Windows clients and provide functionality to detect attacks. LME is the integration of multiple open software platforms which come at no cost to users. LME helps users integrate software platforms together to produce an end-to-end logging capability. LME also provides some pre-made configuration files and scripts, although there is the option to do this on your own.
Logging Made Easy can:
- Show where administrative commands are being run on enrolled devices
- See who is using which machine
- In conjunction with threat reports, it is possible to query for the presence of an attacker in the form of Tactics, Techniques and Procedures (TTPs)
LME is currently still early in development.
If you have an existing install of the LME Alpha (v0.5 or older) some manual intervention will be required in order to upgrade to the latest version, please see Upgrading for further information.
This is not a professional tool, and should not be used as a SIEM.
LME is a 'homebrew' way of gathering logs and querying for attacks.
The LME team simplified the process and created clear instruction on what to download and which configugrations to use, and created convinent scripts to auto configure when possible.
The current architecture is based on Windows Clients, Microsoft Sysmon, Windows Event Forwarding and the ELK stack.
LME is not able to comment on or troubleshoot individual installations. If you believe you have have found an issue with the LME code or documentation please submit a GitHub issue. If you have a question about your installation, please look through all open and closed issues to see if it has been addressed before. If not, then submit a GitHub issue using the Bug Template, ensuring that you provide all the requested information.
For general questions about LME and suggestions, please visit GitHub Discussions to add a discussion post.
From single IT administrators with a handful of devices in their network to larger organizations.
LME is suited for for:
*Oganization without SOC, SIEM or any monitoring in place at the moment.
- Organizations that lack the budget, time or understanding to set up a logging system.
- Organizations that that require gathering logs and monitoring IT
- Organizations that understand LMEs limitiation
LME is most useful for small isolated networks where corporate monitoring doesn’t reach.
The LME architecture consists of 3 groups of computers, as summarized in the following diagram:
Figure 1: The 3 primary groups of computers in the LME architecture, their descriptions and the operating systems / software run by each.