I've been trying to make use of winlogbeats to ingest static event logs we get from various clients as we perform forensic investigations for them.
I have a pretty nice little solution from Manually upload EVTX log files to ELK with Winlogbeat and PowerShell – Burnham Forensics
My issue ends up being that I can't ingest these into my stack. My error log provides the following data:
2021-05-26T13:38:42.807-0700 INFO instance/beat.go:668 Beat ID: c802d1e9-2f45-42b1-b201-039076c08d5d
2021-05-26T13:38:42.808-0700 INFO instance/beat.go:386 winlogbeat stopped.
2021-05-26T13:38:42.808-0700 ERROR instance/beat.go:971 Exiting: unpacking template config fails: missing field
accessing 'setup.template.pattern' (source:'winlogbeat-7.12.1\winlogbeat-evtxTst.yml')
Exiting: unpacking template config fails: missing field accessing 'setup.template.pattern'
(source:'winlogbeat-7.12.1\winlogbeat-evtxTst.yml')
.\winlogbeat-7.12.1\winlogbeat.exe : 2021-05-26T13:38:45.997-0700 INFO instance/beat.go:660 Home path:
[C:\Users\forensics\Documents\ELK-Tools\winlogbeat-7.12.1] Config path:
[C:\Users\forensics\Documents\ELK-Tools\winlogbeat-7.12.1] Data path:
[C:\Users\forensics\Documents\ELK-Tools\winlogbeat-7.12.1\data] Logs path:
[C:\Users\forensics\Documents\ELK-Tools\winlogbeat-7.12.1\logs]
At C:\Users\forensics\Documents\ELK-Tools\ELK_EVTX_Upload.ps1:110 char:7
+ .\winlogbeat-7.12.1\winlogbeat.exe -e -c .\winlogbeat-7.1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (2021-05-26T13:3...at-7.12.1\logs]:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
I have been able to ingest logs and view them in Kibana using a simple winlogbeat.yml file, but when I get fancy they don't get ingested. I like this solution because I can keep ingested files identified by Client and Case Number.
I've been messing around with the Client Index Creation section in the yml sample below as I'm pretty sure that's where my issue lies. I'm thinking that I don't even need to call out the version as noted in the .yml file below and that may actually be counter-productive as I continue to upgrade. I'm super new to ELK so it may be something very basic that I'm missing.
winlogbeat.event_logs:
- name: ${EVTX_FILE}
no_more_events: stop
winlogbeat.shutdown_timeout: 30s
winlogbeat.registry_file: evtx-registry.yml
# Add/Drop fields for searching within Kibana
processors:
- add_fields:
target: ''
fields:
client: ${CLIENT}
case_number: ${CASE}
identifier: ${ID}
log_file: ${FILE}
- drop_fields:
fields: ["event.kind", "event.code", "agent.ephemeral_id", "ecs.version"]
# Client Index Creation
setup.ilm.enabled: false
output.elasticsearch.index: '${CASE}-${ELK_CLIENT}-evtx'
setup.template.name: "winlogbeat-7.12.1"
setup.template.pattern: "${CASE}-${ELK_CLIENT}*"
output.elasticsearch.hosts: ['172.17.1.15:9200']