Unable to get winlogbeats to write to logstash

[dot-splat]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

airgap

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

64

Storage for /

250

Storage for /nsm

250

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

First, I know winlogbeats was removed from SO and Elastic Agent should be used instead, but I have some 32 bit Windows hosts that I am unable to upgrade but need the logs from them. I thought maybe I could use winlogbeats to send the data to SO's logstash. If this is not technically possible in 2.4 then I guess we can stop the discussion here, but I have tried to follow the guides found and other individuals configs and have not had success.

Steps taken:

• Added IP's to allow through firewall by adding them to the beats_endpoint firewall hostgroup

• Enabled logstash in grid configuration

• Installed winlogbeat on windows host

• updated config to use output.logstash with my :5044

• Ran .\winlogbeat.exe -c test output -e -d "*"
  This tried to connect but when trying to connect it gets the error: No connection could be made because the target machine actively refused it.

• ran iptables on SO and verified that port 5044 was listening and accepting connections from the sending ip cidr range

• ran tcpdump and saw the packets coming in and actively getting rejected by SO.

• Noticed there was no input configured for beats in logstash, so created the 0009_input_beats.conf file and placed it in the /opt/so/saltstack/local/salt/logstash/pipelines/config/so/ path

• restarted logstash

• same result as before with a reject on the request from winlogbeat.

I did notice in /opt/so/log/logstash/logstash.log that it didn't say it started a listener on port 5044 which might mean my 0009_input_beats.conf file is in the wrong path. But in multiple other discussions it points to the path referenced above.

Is there something I am overlooking to make this work?

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Did you add 0009_input_beats.conf to the manager pipeline? In SOC -> Administration -> Configuration -> logstash -> defined_pipelines -> manager

[dot-splat]

@cm-ops Thank you! Now the test connect works and doesn't throw any errors!

But I don't see any logs in logstash or SO. Do you have any guidance on how to actually view the logs now within Security Onion?

[cm-ops]

You can check the input with sudo so-logstash-pipeline-stats manager that should let you know if the events are making it to the input.

The elastic agent input tags the events with elastic-agent then in the search pipeline that tag is used to send the event to the correct pipeline in 9805_output_elastic_agent.conf.jinja. The logs are probably coming in and when they go through the Logstash pipeline to Elasticsearch there is not dataset or pipeline defined to send the logs through.