Hi all,
I now do the ELK lab with docker
The repo: https://github.com/deviantony/docker-elk/
ELK stack host IP: 192.168.87.52
My logstash/pipeline/logstash.conf
input {
beats {
port => 5044
}
tcp {
port => 5000
}
}
## Add your filters / logstash plugins configuration here
output {
elasticsearch {
hosts => "elasticsearch:9200"
user => "elastic"
password => "changeme"
ecs_compatibility => disabled
}
elasticsearch {
hosts => "192.168.87.47:9200" ## this is Security Onion host
user => "so_elastic"
password => "nFHrqKrQZV0aRSJYKjf4"
ecs_compatibility => disabled
}
}
My winlogbeat.yml - OSS 7.13.4
# ======================== Winlogbeat specific options =========================
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: ForwardedEvents
tags: [forwarded]
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
# ====================== Elasticsearch template settings =======================
#setup.template.settings:
#index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
# ================================== General ===================================
# ================================= Dashboards =================================
# =================================== Kibana ===================================
# =============================== Elastic Cloud ================================
# ================================== Outputs ===================================
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["192.168.87.52:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
# ================================= Processors =================================
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
# ================================== Logging ===================================
# ============================= X-Pack Monitoring ==============================
# ============================== Instrumentation ===============================
# ================================= Migration ==================================
Test config:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe test config -e
2021-09-17T20:45:28.065+0700 INFO instance/beat.go:665 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2021-09-17T20:45:28.067+0700 INFO instance/beat.go:673 Beat ID: fd01bf44-dadb-447c-b753-4ce8885a2a37
2021-09-17T20:45:28.157+0700 INFO [beat] instance/beat.go:1014 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\Program Files\\Winlogbeat\\data", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\Program Files\\Winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd01bf44-dadb-447c-b753-4ce8885a2a37"}}}
2021-09-17T20:45:28.157+0700 INFO [beat] instance/beat.go:1023 Build info {"system_info": {"build": {"commit": "1907c246c8b0d23ae4027699c44bf3fbef57f4a4", "libbeat": "7.13.4", "time": "2021-07-14T18:02:43.000Z", "version": "7.13.4"}}}
2021-09-17T20:45:28.157+0700 INFO [beat] instance/beat.go:1026 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":12,"version":"go1.15.14"}}}
2021-09-17T20:45:28.206+0700 INFO [beat] instance/beat.go:1030 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-09-09T10:20:55.72+07:00","name":"3THHP13","ip":["10.23.0.161/32","fe80::21e9:916f:b743:dacd/64","169.254.218.205/16","fe80::7949:d2fe:7c06:457c/64","172.168.1.1/24","fe80::4082:1646:773:d35f/64","169.254.211.95/16","fe80::89c9:a92:821b:bed0/64","169.254.190.208/16","192.168.0.2/24","fe80::c4ea:4257:cc42:c8b1/64","169.254.200.177/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1165 (WinBuild.160101.0800)","mac":["02:50:41:00:00:01","34:48:ed:1e:ca:c2","0a:00:27:00:00:13","24:41:8c:c0:99:4c","26:41:8c:c0:99:4b","24:41:8c:c0:99:4b","24:41:8c:c0:99:4f"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1165"},"timezone":"+07","timezone_offset_sec":25200,"id":"ffc1b065-0761-4fea-8323-2f9644354cb7"}}}
2021-09-17T20:45:28.207+0700 INFO [beat] instance/beat.go:1059 Process info {"system_info": {"process": {"cwd": "C:\\Program Files\\Winlogbeat", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 19448, "ppid": 2300, "start_time": "2021-09-17T20:45:27.833+0700"}}}
2021-09-17T20:45:28.208+0700 INFO instance/beat.go:309 Setup Beat: winlogbeat; Version: 7.13.4
2021-09-17T20:45:28.209+0700 INFO [publisher] pipeline/module.go:113 Beat name: 3THHP13
2021-09-17T20:45:28.211+0700 INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\Winlogbeat\data\.winlogbeat.yml
Config OK
But when I try the setup:
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup
Exiting: Index management requested but the Elasticsearch output is not configured/enabled
PS C:\Program Files\Winlogbeat> .\winlogbeat.exe setup -e
2021-09-17T20:46:22.964+0700 INFO instance/beat.go:665 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2021-09-17T20:46:22.965+0700 INFO instance/beat.go:673 Beat ID: fd01bf44-dadb-447c-b753-4ce8885a2a37
2021-09-17T20:46:23.048+0700 INFO [beat] instance/beat.go:1014 Beat info {"system_info": {"beat": {"path": {"config": "C:\\Program Files\\Winlogbeat", "data": "C:\\Program Files\\Winlogbeat\\data", "home": "C:\\Program Files\\Winlogbeat", "logs": "C:\\Program Files\\Winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "fd01bf44-dadb-447c-b753-4ce8885a2a37"}}}
2021-09-17T20:46:23.048+0700 INFO [beat] instance/beat.go:1023 Build info {"system_info": {"build": {"commit": "1907c246c8b0d23ae4027699c44bf3fbef57f4a4", "libbeat": "7.13.4", "time": "2021-07-14T18:02:43.000Z", "version": "7.13.4"}}}
2021-09-17T20:46:23.048+0700 INFO [beat] instance/beat.go:1026 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":12,"version":"go1.15.14"}}}
2021-09-17T20:46:23.103+0700 INFO [beat] instance/beat.go:1030 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2021-09-09T10:20:55.72+07:00","name":"3THHP13","ip":["10.23.0.161/32","fe80::21e9:916f:b743:dacd/64","169.254.218.205/16","fe80::7949:d2fe:7c06:457c/64","172.168.1.1/24","fe80::4082:1646:773:d35f/64","169.254.211.95/16","fe80::89c9:a92:821b:bed0/64","169.254.190.208/16","192.168.0.2/24","fe80::c4ea:4257:cc42:c8b1/64","169.254.200.177/16","::1/128","127.0.0.1/8"],"kernel_version":"10.0.19041.1165 (WinBuild.160101.0800)","mac":["02:50:41:00:00:01","34:48:ed:1e:ca:c2","0a:00:27:00:00:13","24:41:8c:c0:99:4c","26:41:8c:c0:99:4b","24:41:8c:c0:99:4b","24:41:8c:c0:99:4f"],"os":{"type":"windows","family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"19043.1165"},"timezone":"+07","timezone_offset_sec":25200,"id":"ffc1b065-0761-4fea-8323-2f9644354cb7"}}}
2021-09-17T20:46:23.103+0700 INFO [beat] instance/beat.go:1059 Process info {"system_info": {"process": {"cwd": "C:\\Program Files\\Winlogbeat", "exe": "C:\\Program Files\\Winlogbeat\\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 21836, "ppid": 2300, "start_time": "2021-09-17T20:46:22.769+0700"}}}
2021-09-17T20:46:23.105+0700 INFO instance/beat.go:309 Setup Beat: winlogbeat; Version: 7.13.4
2021-09-17T20:46:23.105+0700 INFO [publisher] pipeline/module.go:113 Beat name: 3THHP13
2021-09-17T20:46:23.108+0700 INFO beater/winlogbeat.go:69 State will be read from and persisted to C:\Program Files\Winlogbeat\data\.winlogbeat.yml
2021-09-17T20:46:23.109+0700 ERROR instance/beat.go:989 Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Exiting: Index management requested but the Elasticsearch output is not configured/enabled
Please help me to fix this problem.
Thanks & Regards