Winlogbeat being rejected by security onion

[rhyejam]

Wimlogbeat currently being port forwarded over a pfsense firewall (logs coming in from agents beyond the WAN to SO on the LAN) to seconion,

watching with a tcpdump -i int port 5044, it makes it through the firewall okay only to be rejected with a rst/ack by SO (so-status allow set to accept both the host ip and the firewall ip for 5044)

Anyone got any ideas how to fix?

[dougburks]

Is your Security Onion box configured as Eval or Import mode perhaps?

From https://docs.securityonion.net/en/2.3/beats.html:

In order to receive logs from Beats, Security Onion must be running Logstash. Evaluation Mode and Import Mode do not run Logstash, so you’ll need Standalone or a full Distributed Deployment. Please note that, in a Distributed Deployment, forward nodes do not run Logstash, so you’ll need to configure agents to send to your manager or receiver nodes. For more information, please see the Architecture section.

[rhyejam]

So it's in distributed mode, winlogbeats on windows machine on same subnet as the SO manager can establish connection mover 5044 just fine

Anything going over the firewall however can't establish beats connection. Sensors are on a separate network tapping off mirror ports so can't send beats to them

[dougburks]

Sounds like an issue with your firewall, NAT, or routing.