Help with ingesting logs using filebeat.

[ajkelsey]

I'm new to Security Onion and I've setup a small lab for learning. I have an Ubuntu machine that I installed filebeat on using the version downloaded from Security Onion. From the filebeat side, it looks like it's working. I don't see anything in the logs that point to a problem. However, I don't see the name of the host show up in the Security Onion dashboard. I'd appreciate any help getting this sorted.

filebeat.yml

path.home: /usr/share/filebeat
path.config: /etc/filebeat
path.data: /var/lib/filebeat
path.logs: /var/tog/filebeat

filebeat.config.modules :
  enabled: false
  path: ${path.config}/modules.d/*.yml

logging.level: info
logging.to_files: true
logging.files:
  path: ${path.logs)
  name: filebeat
  keepfiles: 5
  permissions: 0640

filebeat. inputs :
- type: filestream
  id: 01
  enabled: true
  paths :
    - /var/tog/*.log
  
output.logstash :
  hosts: ["10.10.14.201:5044"]
  enabled: true

[dougburks]

Did you allow the Ubuntu machine to connect via so-allow?
https://docs.securityonion.net/en/2.3/so-allow.html#so-allow

What kind of Security Onion installation did you perform (import, eval, standalone, etc.)?
https://docs.securityonion.net/en/2.3/architecture.html
https://docs.securityonion.net/en/2.3/beats.html

[ajkelsey]

I allowed the entire network. I do believe I installed standalone. I was able to get winlogbeat working for the windows machines.

[dougburks]

If you run tcpdump on the Security Onion management interface, do you see the filebeat traffic from the Ubuntu host?

On the Security Onion machine, have you checked the logs in /opt/so/log/ for additional clues?

[ajkelsey]

I'm not quite sure what to make of the tcpdump. Security Onion is receiving packets from the Ubuntu machine. They have a length of 0 and it looks like the checksums are bad.

I looked at the logstash and filebeat logs on Security Onion and nothing stands out to me.

[dougburks]

Instead of spending a lot of time troubleshooting Security Onion 2.3 and filebeat, it would be a better use of time to move to Security Onion 2.4 and Elastic Agent:
https://blog.securityonion.net/2023/08/security-onion-24-has-reached-general.html
https://docs.securityonion.net/en/2.4/elastic-agent.html

[ajkelsey]

Well, I gave 2.4 a shot, but I get a kernel panic when trying to install it. I have yet to figure out why. I'm installing in a VM on proxmox.

[TOoSmOotH]

Change the CPU type to host instead of KVM64

[ajkelsey]

That did it. Thank you.

[ajkelsey]

Ok. I have successfully installed Security Onion 2.4 and all of my machines are reporting. Thank you for your help.