Kibana API response "." when running winlogbeat setup

[jcac100]

I have a Windows Event Collector configured with two Subscriptions, one for all Security Event logs, and one for all App and System Logs. Both subscriptions are Source Computer Initiated, and the Source Computer Groups are Domain Computers and Domain Controllers. I want to forward the Windows Event logs from my WEC to SecurityOnion Manager Node (version 2.3.220), which I have successfully configured, but I want to run the winlogeat setup command to unpack the Winlogbeat Index and Dashboards.

I used the so-allow e option on my SecurityOnion Manager node to allow access to the Elasticsearch rest API port 9200 from my WEC, and tested that it worked by editing my winlogbeat.yml file to change the output from Logstash, to Elasticsearch. Both the winlogbeat test config and test output commands worked, indicating my WEC had access to the Elasticsearch API. I also configured my winlogbeat.yml to enable the Kibana Setup section, and set the ssl.verfication_mode to none, since I only have self-signed certs in my environment. I then ran the winlogbeat setup command to unpack the Winlogbeat Index, which succeeded, but the Winlogbeat Dashboard setup failed, as my WEC could not communicate with the Kibana API.

Unfortunately, because the so-allow command does not support the Kibana API port 5601, I had to create a custom portgroup. I created a custom portgroup on my Securityonion manager named elasticsearch_rest (the same name as the default portgroup for Elasticsearch's rest API port 9200). I added tcp 5601 and tcp 9200 to my new custom portgroup, elasticsearch_rest. I then edited my /opt/so/saltstack/local/pillar/minions/sonion2-mgr_manager.sls and added the following to the bottom:

firewall:
assigned_hostgroups:
chain:
DOCKER-USER:
hostgroups:
elasticsearch_rest:
portgroups:
- portgroups.elasticsearch_rest

I then ran the following commands to apply the updated state:

sudo salt sonion2-mgr_manager state.apply firewall
so-firewall apply

Once the commands completed, I checked that the portgroups reflected the correct ports with the following command:

so-firewall listports elasticsearch_rest tcp
5601
9200

I then checked that the elasticsearch_rest hostgroup still contained the IP of my WEC by running the following command:
so-firewall includedhosts elasticsearch_rest
10.0.11.38

I then went back to my WEC and ran the following command:

winlogbeat.exe setup -c C:\Winlogbeat-App-and-System-SecOnion\winlogbeat-app-and-system-seconion.yml -e

The response I get is

I am not using the Winlogbeat.msi that is included in SecurityOnion, I am using Winlogbeat version 7.15.1, which may be the issue, but I do not have control over the environment, as it is a training lab environment. Additionally, I have had wayyy more issues using the MSI version of Winlogbeats (especially in automated deployments, since the MSI supports basically 0 cmd line arguments) so ideally I would like to avoid using the MSI if possible

I don't understand what I am doing wrong, is the Docker container for Kibana not exposing the API port?

[jcac100]

I figured out the issue, through the power of literacy. I just reread the response and saw I was trying to hit https, and was getting an http response, so I changed the output in the Kibana setup section to https, and reran it and it works.