Winlogbeat to Heavynode?

[ben-sec]

Hello!

I have a new remote Heavynode in my distributed environment and want to collect Windows event logs there. Can I send them directly to the Heavynode or do they have to go to my central Manager node? Thanks in advance!

Cheers, Ben

[InfosecGoon]

You should be able to send them to the Heavy Node, though you might have to open up the firewall settings to allow the inbound traffic. How are you transporting the logs? Winlogbeat?

[InfosecGoon]

So-allow only runs on a Manager/Standalone node, because it updates the Salt configuration files there.

If you want to open up port 5044 on a minion node (like a Heavy node), you'll need to make the appropriate modifications to the node's minion pillar file. Something like this, but with beats_endpoint as the hostgroup instead of syslogtosensor1.

https://docs.securityonion.net/en/2.3/firewall.html#allow-hosts-to-send-syslog-to-a-sensor-node

[ben-sec]

I have added the IP of my heavynode to the hostgroup and added

firewall:
  assigned_hostgroups:
    chain:
      DOCKER-USER:
         hostgroups:
           beats_endpoint:
             portgroups:
               - portgroups.beats_5044

to my_minion_heavynode.sls, but there is no data comming in. Where do I find the firewall logs to verify if port still 5044 gets blocked (I start off to send them in plain text to keep things simple)?

[ben-sec]

I found the firewall logs and it seems that the first few Winlogbeat packets got dropped, but then the correct firewall configuration kicked in and I don't see any dropped packets for dst-port 5044 anymore. But I don't see any Winlogbeat data from my test client in SO. Other clients, who are sending their data to the Manager node are working fine. Ideas?

[ben-sec]

The logstash ssl configuration of my manager node has been distributed to the heavynode and it was expecting ssl traffic from winlogbeat. After setting up the ssl configuration in winlogbeat.yaml everything is working fine!