Sysmon Host Data (Where to send it)

[ColeVan]

I have a new deployment request from a client and would only like to gather host logs from windows machines, specifically sysmon logs. I have winlogbeats, sysmon, and deployment methods ready to go. Where is the best location to send host data via port 5044? Master, search nodes, or fwd nodes? Any guidance would be must appreciated. Thanks in advance.

[cm-ops]

You would send it to your Manager. Also see https://docs.securityonion.net/en/2.3/beats.html?highlight=winlogbeat#winlogbeat.