TCP reset using winlogbeat #1628
-
|
Hi, I configured Sysmon and Winlogbeat on an endpoint, configured SO to allow port 5044. Winlogbeats connects to Security Onion but after 3-way handshake and one GET request I always get an RST of the connection. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
I've tested sysmon+winlogbeat and it works fine for me. Is it possible that Wazuh is generating an Active Response against your endpoint and blocking it in the firewall? Have you checked your Wazuh logs for any clues? |
Beta Was this translation helpful? Give feedback.
-
|
Hi Doug, thanks for your response. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Excellent I had the same exact issue and this fixed it. I was racking my brain. |
Beta Was this translation helpful? Give feedback.
-
|
I've updated https://docs.securityonion.net/en/2.3/beats.html#winlogbeat to try to make this more clear. |
Beta Was this translation helpful? Give feedback.
-
|
Awesome! Ill try it out this evening. I resorted to a centos ELK ground
floor build up. But i really like the SO-soc feature so ill give it another
go. Thanks for helping clear it up.
…On Fri, Nov 6, 2020 at 2:33 AM Doug Burks ***@***.***> wrote:
I've updated https://docs.securityonion.net/en/2.3/beats.html to try to
make this more clear.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1628 (reply in thread)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AKGQEKBKKTAI4QZZSNLKRULSOO7FPANCNFSM4S4V4PNA>
.
|
Beta Was this translation helpful? Give feedback.
I've tested sysmon+winlogbeat and it works fine for me.
Is it possible that Wazuh is generating an Active Response against your endpoint and blocking it in the firewall?
Have you checked your Wazuh logs for any clues?