Getting winlogbeat to speak to SecurityOnion

Elastic Stack Beats
1

I've been given the task to get our companies log monitoring up and going, so I'm really effing new to this.

I have Security Onion installed - our local firewall is speaking to it fine - which is good.

I have then wanted to install winlogbeat to a local computer ( we don't have a server )

I have created the .yml file

winlogbeat.event_logs:
  - name: Application
  - name: Security
  - name: System

output.elasticsearch:
  hosts:
- 10.1.1.25:9200

setup.kibana:
  host: "10.1.1.25:5601"

logging.to_files: true
logging.files:
  path: C:/ProgramData/winlogbeat/Logs
logging.level: info

Can someone direct me to some quality tutorials of how to get the logs working and what setting to set up?

I have run the test again the config file and all seems OK.

Again apologies for being useless.

2

What specific issue are you running into? Are your logs not being forwarded to Security Onion? Is the index pattern (winlogbeat-*) being created in Elasticsearch?

My setup uses Winlogbeat --> Logstash --> Elasticsearch and I have no issue after manually loading the index pattern (winlogbeat.template.json) on the Elasticsearch server.

Let me know if that works out for you or not.

3

I'm currently using SecurityOnion and it looks like you have a few issues with you yml file. Just note that SecurityOnion (SO) changes the ports that are used.

Here are the main fields that I changed in my SO deployment.

winlogbeat.event_logs:

  • name: Application
    ignore_older: 168h
  • name: Security
  • name: System
    tags: ["print-server"]

output.logstash:

The Logstash hosts

hosts: ["10.x.x.x:5044"]

logging.files:
path: C:/winlogbeat/Logs
logging.level: info

Remember that after you make any changes, to restart the service and look at the log files

You'll also need to add a new entry in the SO firewall, in putty (that's what I use to SSH into SecurityOnion).

sudo so-allow <- will allow you to add/modify a device in the SO firewall; Take a look below

What kind of device do you want to allow?

[a] - Analyst - ports 22/tcp, 443/tcp, and 7734/tcp
[b] - Logstash Beat - port 5044/tcp
[c] - apt-cacher-ng client - port 3142/tcp
[e] - Elasticsearch REST endpoint - port 9200
[f] - Logstash forwarder - standard - port 6050/tcp
[j] - Logstash forwarder - JSON - port 6051/tcp
[l] - Syslog device - port 514
[n] - Elasticsearch node-to-node communication - port 9300
[o] - OSSEC agent - port 1514
[s] - Security Onion sensor - 22/tcp, 4505/tcp, 4506/tcp, and 7736/tcp

If you need to add any ports other than those listed above,
you can do so using the standard 'ufw' utility.

For more information, please see the Firewall page on our Wiki:

Please enter your selection (a - analyst, c - apt-cacher-ng client, l - syslog, o - ossec, or s - Security Onion sensor, etc):

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.