In your instructor led training page, one page dosnt seem to be working??

[iqworks]

I went here https://securityonionsolutions.com/training/#instructor-training. This is where you can select what type of training SO has available. But when I click on “find out how”, I get this page “ https://securityonionsolutions.com/training/#instructor-training , I dont see how to follow through on this page?? it asks you to fill out you name, email, compay etc. But the only link I see is “reporting an issue? Click here.”. But, I don’t see where to go after that?

Now that I have setup SO and my SOC and it is working consistantly, What would it costs to have a one on one with someone who could help me just get Sysmon eventd my SOC's kibana?

I looked at this suggested video (several times):

https://www.youtube.com/watch?v=Xz-7oDrZdQY
Notice, in this video, he installs Sysmon and winlogbeat. He says nothing about installing elasticsearch, however, he go’s into services and starts the elasticsearch service at one point.
0.35 – we can then install an elastic tool called winlogbeat to read these Sysmon logs and sending the to security onion.
1.12 – this is where you can see that the logstash beat is what is related to the winlogbeat (because winlogbeat is another beat, like filebeat). 1.30 – when you add the IP address used to access the SOC (it says nothing about a port here (reff a)).
1.47 – Now our security onion installation is configured to accept beat traffic, (from a beats agent which will be winlogbeat. Beats package incoming data to be sent elsewhere) we need to install Sysmon and winlogbeat, Sysmon to generate the windows 10 event logs and winlogbeat to ship this data to security onion.
2.50 – installing Sysmon. The service will start when you run the install command.
3.20 – now that Sysmon is capturing windows events, file creations, process creations etc. the next step is to forward that Sysmon data to security onion.
3.38 the winlogbeat AGENT is downloadable from the SOC under downloads. Notice it is under the elasticsearch utilities. This is where I first see elasticsearch for the first time.

4.05 – again, winlogbeat will ship the Sysmon to security onion.
5.20 – in the winlogbeat.yml we are using the Logstash output (this is the first time I am hearing about logstash – should I download that also? Or does it appear from somewhere?)
5.27 – here we enter the host (the same IP you added to so-allow). Here he says we enter the same “PORT” we entered in so-allow. We did not enter a port, only an IP address? That’s confusing. Where and why use port 5024 in the first place?
6.11 – once you have winlogbeat.yml configured the way you want it, you can open up your services tool and look for the “elastic winlogbeat service”, this is the first time I heard about elasticsearch in this video.. I did not HAVE an “elastic winlogbeat service”, only a winlogbeat service. At this point I am wondering if I need to download and install elasticsearch, or am I looking to download and install the “elastic winlogbeat service”? Perhaps when I installed winlogbeat, it should of automatically started an “elastic winlogbeat service” ? So, I downloaded and installed elasticsearch and installed it. Was that the right thing to do?.
6.24 – when you start the elastic winlogbeat service, it will read in the winlogbeat.yml we created, and start forwarding those Sysmon logs into security onion.
6.30 – on the windows side he opens launches a mspaint.exe and then closes it.

Sorry for causing all kinds of noise in the discussion forum. Am trying hard to learn.

thanks for any help or suggestions.

[dougburks]

I went here https://securityonionsolutions.com/training/#instructor-training. This is where you can select what type of training SO has available. But when I click on “find out how”, I get this page “ https://securityonionsolutions.com/training/#instructor-training , I dont see how to follow through on this page?? it asks you to fill out you name, email, compay etc. But the only link I see is “reporting an issue? Click here.”. But, I don’t see where to go after that?

When you fill out the form and click I'm not a robot, then you should be able to click the Send Message button at the bottom of the form:

Now that I have setup SO and my SOC and it is working consistantly, What would it costs to have a one on one with someone who could help me just get Sysmon eventd my SOC's kibana?

For more information about paid support, please see:
https://securityonionsolutions.com/support

[iqworks]

thanks Doug, I probably need to maximize the browser holding that page. Will review the links you sent.

[phil1090]

Notice, in this video, he installs Sysmon and winlogbeat. He says nothing about installing elasticsearch, however, he go’s into services and starts the elasticsearch service at one point.

You don't install Elasticsearch separately. It's running on Security Onion standalone and managers (as well as other node types).

1.30 – when you add the IP address used to access the SOC (it says nothing about a port here (reff a)).

You add the IP address of the host sending Windows logs. This allows Winlogbeat on the Windows host to talk to Logstash on Security Onion (another component you don't have to install as it is already running on the nodes mentioned above).

3.38 the winlogbeat AGENT is downloadable from the SOC under downloads. Notice it is under the elasticsearch utilities. This is where I first see elasticsearch for the first time.

Winlogbeat is a tool provided to the community by the company Elastic, which also produces Elasticsearch, Logstash, Kibana, and other tools.

5.20 – in the winlogbeat.yml we are using the Logstash output (this is the first time I am hearing about logstash – should I download that also? Or does it appear from somewhere?)

Logstash is already running on the nodes mentioned above.

5.27 – here we enter the host (the same IP you added to so-allow). Here he says we enter the same “PORT” we entered in so-allow. We did not enter a port, only an IP address? That’s confusing. Where and why use port 5024 in the first place?

The so-allow script knows to open port 5044 when you select the "b" option. That's the port on which Logstash is listening for input from Winlogbeat and other beats. The so-allow command merely allows that traffic through (from your Windows machine in this case). In the yml file, you have to specify the IP address of the Security Onion node AND the port (5044) because that's what that file requires.

6.11 – once you have winlogbeat.yml configured the way you want it, you can open up your services tool and look for the “elastic winlogbeat service”, this is the first time I heard about elasticsearch in this video.. I did not HAVE an “elastic winlogbeat service”, only a winlogbeat service. At this point I am wondering if I need to download and install elasticsearch, or am I looking to download and install the “elastic winlogbeat service”? Perhaps when I installed winlogbeat, it should of automatically started an “elastic winlogbeat service” ? So, I downloaded and installed elasticsearch and installed it. Was that the right thing to do?.

There is no reason to install Elasticsearch again. It's already running on the Security Onion nodes mentioned above. The "winlogbeat service" or similar service name is the right service to start. The exact name of the service may change between versions.

[phil1090]

It looks like your Windows host cannot communicate with the Security Onion host on port 5044.
Confirm your Windows host can ping your Security Onion host. If it can't, that's a VM/networking issue and outside the scope of this group.
If you can ping SO from the Windows host, check your firewall settings on Security Onion with "sudo iptables -nvL | grep 5044". You should see your Windows IP in the output. If it's not in the output, add it with "sudo so-allow", following the instructions in the video.

[iqworks]

Thanks, will do.

[iqworks]

phil1090, i tried this "sudo iptables -nvL | grep 5044", here is what i have (my windows host is 214, my SO SOC is 216)

after looking for the logstash config files, I noticed I could not find it in these places on security onion?

I dont see it here either? /etc/logstash/conf. d
https://groups.google.com/g/security-onion/c/4FwPbMqmuEM

or here?
/opt/so/conf

or here?
https://docs.securityonion.net/en/2.3/logstash.html
/opt/so/saltstack/local/pillar/minions/$MINION_$ROLE.sls

Perhaps this is the problem with my communications? Since I dont need to install logstash on windows, I dont need to look for it there.
I also see that logstash is not a container in my docker so-status. Do I need to install it in my VM?

However I am still looking into whether it is a windows networking issue.

thanks as always

[dougburks]

@iqworks The topic you chose for this discussion is In your instructor led training page, one page doesn't seem to be working?? and this discussion has been marked as answered. So let's stop piling onto this discussion and use a discussion with an appropriate title. I have responded to your separate logstash discussion at #10161.

[iqworks]

Thanks Doug, I did raise this discussion issue 4 days ago.
**"I am thinking I should make a new post about my next question about "any clues about the following errors?":"
"But this new question is different from this discussion?" **

I saw the response you made about where the logstash files are located. Thanks for that also.