Winlogbeat to logstash, followed the VID tried a number of things, signpost please.

[acHQue]

Hello,

I still cannot get Winlogbeat to logstash send logs over to SO. Where am i going wrong? Sorry for re-thread i am sure. Confused, i can see similar thread, but none which i understand.

Things attempted.

• After realizing from the docs the standalone was the version needed for logstash and reinstalling as standalone, doh.
• and following the video https://www.youtube.com/watch?v=Xz-7oDrZdQY great but is it up to date?
• Copying 0009_inputs_beats.conf file from default to local and trying an edit to the output plugin pipeline. so-logstash-restart.
• Experimenting with manage.sls and adding 0009 again in the .sls https://docs.securityonion.net/_/downloads/en/2.3/pdf/
• so-allow -b -i ip/cidr, of course.
• Stopping the Windows host firewall. Getting desperate.
• Downloading the msi from SOC finding that is don't start, i think its because the path of the service doesn't point to the correct place. Useless.

The only progress i have made is with the zipped PowerShell install service and actually started, which should be unencrypted, Wireshark sees no plain text on tcp.port == 5044.

The winlogbeat.yml config bellow.

A hopeful reach out here thank you in advance, i am defeated. Moving back from to ELK, SO is a different beast. :S

Kind regards,

[dougburks]

Have you tried following the steps at https://docs.securityonion.net/en/2.3/beats.html#winlogbeat?

[acHQue]

Thank you for taking the time to reply.

I wasn't able to find a solution to fix the problem. I reinstalled the whole SO OS. SO.2.3.1. Besides having a much older version working on a separate testing lab, i did notice the 0009_input_beat.conf was absent, this conf filter compared to the newer OS 2.3.1. I was about to make the change to the newer 0009*.conf and remove the filter. but, finally, decided to rebuild. Again.

This change wasn't necessary since i completely faltend and rebuilt. The image is the latest SO 0009*.conf, whereas the older working version i have didn't have this same filter in the 0009*.conf. which i found interesting but in the end irrelevant.

Overall, I noticed the Windows client's packets firstly showed Administratively Prohibited and every hop saw packets heading to 5044. With tcpdump -i ens33 port 5004. SO was't SYN/ACK and not Push. That was the Evaluation problem, not having Logstash found and solved. Which lead to a complete rebuild. Then after installing Standalone, i couldn't understand why packets still wouldn't show in kibana even in standalone. Thinking it was a pipeline problem and ELK experience, i looked at pipeline, noticing differences in older working versions i had. Hence, my final and successful rebuild. Now work straight of the bat like the videos described. Lets see how it goes.

I didnt use the Winlogbeat from SOC, i got it from Elastic site. Since the MSI always gave me problems in the past so i avoid it.

I am looking to send log to a 3 third party in my "project", it is out of scope from the documentation. Nevertheless, have any advice there?

hq