winlogbeat connection attempts fail

[j8ter]

Hi all,

I am trying to set up winlogbeat on two Windows 10 VM's to a central Security Onion standalone-machine. I followed the instructions in the YouTube-tutorial: https://www.youtube.com/watch?v=Xz-7oDrZdQY. So the steps I took were:

• allow incoming logbeat-traffic on my Security Onion-machine (sudo allow -b, 192.168.1.0/24)
• Install Sysmon locally (its function verified by launching an application, Paint, which shows up in the local logs
• Install Winlogbeat downloaded from the Security Onion-machine on the Downloads-page to one of the Windows 10 VM's
• Configured the winlogbeat.yml-file where I edited the following lines:
  • winlogbeat.event_logs:
  • name: Microsoft-windows-sysmon/operational
  • #output.logstash:
  • hosts: ["192.168.1.8:5044"]

Now I am not seeing the Beats-data under Hunt or in Kibana, following these instructions: https://docs.securityonion.net/en/2.3/beats.html#data. On the Windows 10 VM I am seeing the following error:

• ERROR [esclientleg] transport/logging.go:37 Error dialing dial tcp 192.168.1.8:5044: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. EDIT: I forgot to mention before, there is another thread discussing the same issue: Problem connecting winlogbeat #6016.

Other traffic is received by the Security Onion-machine (Zeek, Ossec, Suricata), so it might not be a firewall issue. The network is managed by a pfSense-firewall/router, should that provide more detail.

UPDATE: followed the same steps on another Windows 10 VM with the same conditions (both on the same Proxmox-server with the same firewall rules, meaning no Proxmox-firewall) and got the same results. So I think it is either an issue with my Security Onion-configuration or some network issue.

UPDATE 2: You know, maybe Winlogbeat cannot send the data to Logstash because Logstash apparently is not even there! Got some errors when trying to restart it (sudo so-logstash-restart or -stop/-start) and then could not find a folder for the logs. And sudo so-status also does not show logstash. So whatever the reason, I will try to reinstall and see if I can get it working then. Will update here when done.

[j8ter]

Well, never mind: I was simply unaware of the differences between the eval and standalone types of deployment and was expecting the eval-version to work with logstash (surprise, it does not feature it). So! I will remove this discussion entirely as I answered my own question. Which is always the most educational way, so that's good :)

[dougburks]

Yes, the difference between eval and standalone is mentioned on the Beats page:
https://docs.securityonion.net/en/2.3/beats.html

[j8ter]

Yes, apparently I managed to read that page several times and completely overlook that very clear note. I guess from now on I won't forget :)

[netmanzim]

was doing the same error :( i´m new at this..sorry