Elastic SIEM No Failed Authentications

wilfyboyGG · May 6, 2020, 1:16pm

Hello Community!

I'm Exploring ELK as a SIEM. As a beginner I have Winlogbea installed on a virtual machine that's subscribed to forwarded events from Domain Controller. I've made subsequent changes to the YML file and I'm receiving the logs within elastic. ** ISSUE: 0 FAILED AUTHENTICATION ** Please view the attached image and let me know if have to make changes in GPO or YML file to get failed logs.

andrewkroh · May 7, 2020, 2:27pm

See https://www.elastic.co/guide/en/beats/winlogbeat/7.6/winlogbeat-modules.html#_usage_with_forwarded_events.

In 7.8 we will include this as part of the default config file.

wilfyboyGG · May 7, 2020, 3:38pm

Hi Andrew,

Thank you for your reply!

When I add the following lines to the YML File. the Winlogbeat service won't start. I'm I doing something wrong ?

- name: ForwardedEvents
  tags: [forwarded]
  processors:
  - script:
      when.equals.winlog.channel: Security
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js
  - script:
      when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js```

andrewkroh · May 7, 2020, 3:55pm

Are those three backticks ``` part of your file?

Can you run .\winlogbeat.exe test config and .\winlogbeat export config and see if you notice any issues.

wilfyboyGG · May 7, 2020, 7:33pm

No those backticks aren't part of my file. thanks for asking
Also this is Error what I get after running command
.\winlogbeat export config

PS C:\Program Files\Winlogbeat> .\winlogbeat export config 2020-05-07 15:18:02.6331736 -0400 EDT m=+0.060222701 write error: failed to rotate backups: failed to rotate backups: re name C:\Program Files\Winlogbeat\logs\winlogbeat.1 C:\Program Files\Winlogbeat\logs\winlogbeat.2: Access is denied. 2020-05-07 15:18:02.6411611 -0400 EDT m=+0.068210001 write error: failed to rotate backups: failed to rotate backups: re name C:\Program Files\Winlogbeat\logs\winlogbeat.1 C:\Program Files\Winlogbeat\logs\winlogbeat.2: Access is denied.

andrewkroh · May 7, 2020, 8:16pm

Maybe you weren't running as an administrator? If you add a -e it should log to stderr and avoid that issue.

wilfyboyGG · May 14, 2020, 1:42pm

Hi Andrew,
The test config came ok. But still not getting failed authentications in SIEM, while in discover tab I was able to find different failed logon events. I've created a work around to visualize failed auths in dashboards until I figure out how to get failed authentication on elastic SIEM.

Thanks,
Wilfred

system · June 11, 2020, 1:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.