External ELK stack logs shipped to Security Onion #12223
Replies: 1 comment
-
|
One thing I was considering is creating a custom output conf on the SO2 manager copying it to /opt/so/saltstack/local/salt/logstash/pipelines/config/custom/ directory and modifying the search section in the SOC GUI to reflect my new conf file. Would something like this work? Proposed logstash output conf for winlogbeats. Modified search config in SOC Admin panel |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hello everyone, hope all is well!
Security Onion 2.4.40
Distributed Setup:
I am currently working on a project where I'm trying to ingest Winlogbeat (17.17.16) logs from an external Elastic stack. I've successfully created the secure SSL connection between the remote Logstash instance and the Security Onion manager over port 5055. The output conf file on the remote ELK stack can be seen in the first picture below.
Once the connection is established with the SO2 manager I can finally see the logs rolling in. However, Elasticsearch on SO2 doesn't properly parse the logs. Please see the second and third pictures below for reference.
Since SO2 Logstash doesn't do any of the parsing and none of the existing parsers seem to be working, do I need to make a custom ingest parser or grok parser? Should I modify the 0012_input_elastic_agent.conf.jinja (third picture) or 9805_output_elastic_agent.conf.jinja (fourth picture) files for pipeline redirection? I tried to modify the 9805_output_elastic_agent.conf.jinja file specifying that anything tagged with beats should be indexed in the logs-winlogbeat index I created but that didn't work. I pulled the mappings and settings for that newly created index from the external ELK stack. I also tried specifying codec => json in the 0012_input_elastic_agent.conf.jinja file but that didn't seem to work either. Perhaps the 9805_output_elastic_agent.conf.jinja file is the answer and my syntax isn't right? I'm kind of lost and would appreciate it if someone could point me in the right direction.
I still would like to use Elastic Agent and maintain the flexibility of ingesting Windows event logs from other external sources with minimal configuration changes.
output conf file on the remote ELK stack
SO2 doesn't properly parse the logs
SO2 doesn't properly parse the logs
0012_input_elastic_agent.conf.jinja
9805_output_elastic_agent.conf.jinja
Beta Was this translation helpful? Give feedback.
All reactions