Sysmon events not getting to SOC kibana or hunt - connection issues

[iqworks]

Hi,

i am using elasticsearch 8.6.2,
Winlogbeat 8.6.2
and sysmon 74

I am trying the ELK system. The data gets into sysmon ok. There are probably many reasons. I was pointing to output.logstash because as I understand it, it gets data from more places than elasticsearch. I saw in a couple of places that logstash data will also wind up in elasticsearch for the pipeline to SO?
I saw that you cannot have two yml outputs at the same time. I assume that as long as the elasticsearch service is running using output.logstash works.
I have sysmon, winlogbeat and elasticsearch services running.
I tried both the logstash and elasticsearch outputs, and i have the same problems:
connection issues :
“ {"file.name":"beater/winlogbeat.go","file.line":149},"message":"Winlogbeat is unable to load the ingest pipelines because the Elasticsearch output is not configured/enabled. If you have already loaded the ingest pipelines, you can ignore this warning.","service.name":"winlogbeat","ecs.version":"1.6.0"} ”

{"file.name":"transport/logging.go","file.line":38},"message":"Error dialing dial tcp [::1]:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","network":"tcp","address":"localhost:9200","ecs.version":"1.6.0"}

{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get "http://localhost:9200\": dial tcp [::1]:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}

{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get "http://localhost:9200\": dial tcp [::1]:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}

It was suggested That I try to use telnet to check the connection. I am thinking i should use the host IP’s for ports 5044 and 9200.

#---------------------------- Elasticsearch Output ----------------------------
#output.elasticsearch:
#Boolean flag to enable or disable the output module.
#enabled: true
#Array of hosts to connect to.
#Scheme and port can be left out and will be set to the default (http and 9200)
#In case you specify and additional path, the scheme is required: http://localhost:9200/path # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200
#hosts: ["localhost:9200"]

#------------------------------ Logstash Output -------------------------------
output.logstash:
#Boolean flag to enable or disable the output module.
enabled: true
#The Logstash hosts
hosts: ["192.168.0.0/16:5044"]

thanks for any help and advice

[cm-ops]

You followed this https://docs.securityonion.net/en/latest/beats.html#winlogbeat right?

[iqworks]

Nope, but I will check its instructions now.
thanks for responding

[iqworks]

Hi cm-ops, when i looked at the instrutions from that link, i realized that i did in fact try that links instructions. I tried to download winlogbeat from the SOC, but i kept getting an error, something like a download error. BUT, when i tried it after i got your suggestion, this time it downloaded.
i am working on another project for the next two weeks or so, but when i get back, i will re-install winlogbeat, and, follow the rest of the instructions on that link.

thanks cm-ops for your time and suggestions

[iqworks]

Sorry, I am on another project for the next two weeks.
I HAVE seen this link, but had issues downloading winlogbeat from the SOC. I was getting messages like could no complete the down load, or something like that. BUT, I tried it after you suggested it and it downloaded. So, when I get back to this project, I will continue through that link.
I will check back with you when I get back to this.

thanks for your time and suggestions