Security Onion – Elastic Agent not sending Windows/Sysmon logs to Discover

[owenp120804]

I’m currently testing Security Onion with Elastic Agent for host-based detection (Sysmon + Windows Event Logs) but I’m running into an issue where no logs appear in Discover, even though the agent is healthy.
Environment
• Security Onion 2.4.141 (Evaluation install)
• Elasticsearch containers running and healthy
• Elastic Agent version: 8.17.3
• Windows endpoint: Windows Server / Windows client with Sysmon installed
• Agent status: Healthy in Fleet
Setup
• Installed Sysmon on the Windows machine
• Enabled the following channels in the Windows integration:
o Security
o Powershell Operational
o Sysmon Operational
• Fleet server configured at https://:8220
• Output set to so-manager_elasticsearch
What works
• Fleet server is running
• Elastic Agent enrolls successfully
• Agent appears healthy in Fleet
• Sysmon service is running on the Windows machine
Problem
In Discover (logs-*), queries such as:
agent.name: "WS1"
or
event.provider: "Microsoft-Windows-Sysmon"
return no results.
However:
• Security Onion containers are all running (so-status)
• Elasticsearch responds correctly to API requests (401 when unauthenticated)
• Sysmon logs exist locally on the Windows host.
Policy configuration
Initially the agent policy had multiple Windows integrations:
windows-1
windows-detection-policy
windows-integration
I removed them and created one clean Windows integration with Sysmon enabled, but logs still do not appear in Discover.
Questions

1. Is there an additional step required for Windows event log ingestion in Security Onion when using Elastic Agent?
2. Should Sysmon data appear automatically in logs-windows.* data streams?
3. Are there known issues with multiple Windows integrations in the same policy affecting ingestion?
   Any guidance would be appreciated. I'm trying to use this setup to test host-based detections alongside Zeek/Suricata network telemetry.
   Thanks!

[reyesj2]

You need to install as a Standalone deployment (or a full distributed) to deploy Elastic Agents

It is not designed for production usage at all and it does not support adding Elastic agents or additional Security Onion nodes.
https://docs.securityonion.net/en/2.4/architecture.html#evaluation

[owenp120804]

Thank you for your reply, i have installed the standalone version and i can in fact see some logs from the devices ! its much better improvement than I was experiencing before. Also i don't know if you can assist but is it normal that I had to arrange the kql query for the detection rules (SIEM) in kibana ? as some dataviews and index patterns i dont have.

[reyesj2]

Not sure I am following what you mean. Can you possibly post screenshots / further explain what you're trying to do?

I would also encourage you to look at the Detections interface within SOC

https://www.youtube.com/watch?v=GhQIO-_ZK6A
https://docs.securityonion.net/en/2.4/detections.html

[owenp120804]

Thanks for getting back to me. After installing the standalone version, logs started appearing under the data stream logs-windows.powershell_operational-*. The original detection rule referenced index patterns like winlogbeat-* and logs-windows.powershell*, but since my setup is using Elastic Agent with the Windows integration, the events are stored under the windows.powershell_operational dataset instead. Because of that, the rule initially didn’t match any events. I adjusted the index pattern to include logs-windows.powershell_operational-* and simplified the KQL query to detect event.action:"Execute a Remote Command", after which the rule started generating alerts correctly for PowerShell remote execution (Event ID 4104). I just wanted to confirm whether this adjustment is expected when using Elastic Agent instead of Winlogbeat, or if I may have missed something in the setup.