Hi Everyone I'm trying to put together SIEM by elk
I have my Elasticserach and Kibana running on a single Debian aws node. and I have multiple Windows VM's (Slaves) sending security event logs to Windows logs collector VM (Master). I've installed auditbeat and made changes to modules within the YML file as follows
auditbeat.modules:
-
module: file_integrity
paths:- C:/windows
- C:/windows/system32
- C:/Program Files
- C:/Program Files (x86)
-
module: system
datasets:- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- package # Installed, updated, and removed packages
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
How often datasets send state updates with the
current state of the system (e.g. all currently
running processes, all open sockets).
state.period: 12h
Enabled by default. Auditbeat will read password fields in
/etc/passwd and /etc/shadow and store a hash locally to
detect any changes.
user.detect_password_changes: true
File patterns of the login record files.
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
I get execute the YML using command:
./Auditbeat -e -c auditbeat.yml
--------------------------------------------Output---------------------------------------------
- WARN [cfgwarn] host/host.go:167 BETA: The system/host dataset is beta
-WARN [cfgwarn] process/process.go:131 BETA: The system/process dataset is beta
-INFO instance/beat.go:402 auditbeat stopped.
-ERROR instance/beat.go:916 Exiting: 1 error: 4 errors: the system/login dataset is only supported on Linux; the system/package dataset is not supported on Windows; the system/socket dataset is only supported on Linux; the system/user dataset is only supported on Linux Exiting: 1 error: 4 errors: the system/login dataset is only supported on Linux; the system/package dataset is not supported on Windows; the system/socket dataset is only supported on Linux; the system/user dataset is only supported on Linux.