Hi, I am trying to use sysmon to logstash to elasticsearch.
After advice from others in this forum, I finally came up with a combination of parms and processing that at least shows me data from my laptop IP in kibana.
This is what I have :
winlogbeat - I am using logstash output, enabled with a hosts: ["192.168.1.120:5044"].
elasticsearch.yml - network.hosts: ["192.168.1.120:9200"].
I tried to test sysmon to kibana by creating a mspaint instance process in windows. I looked for it in kibana, but I dont see it. Perhaps its because I dont know how to look for it?
This might be a clue, but 192.168.1.120 does not ping? But data gets into kibana from my IPv4 and static IP?
Maybe I am not including the right sysmon includes or excludes, I only changed two :
ImageLoad onmatch="include" and
ProcessAccess onmatch="include"
Niether of which have any rules.
thanks for any help or advice.