Login dataset is not supported on windows

Hi Everyone I'm trying to put together SIEM by elk
I have my Elasticserach and Kibana running on a single Debian aws node. and I have multiple Windows VM's (Slaves) sending security event logs to Windows logs collector VM (Master). I've installed auditbeat and made changes to modules within the YML file as follows

auditbeat.modules:

  • module: file_integrity
    paths:

    • C:/windows
    • C:/windows/system32
    • C:/Program Files
    • C:/Program Files (x86)
  • module: system
    datasets:

    • host # General host information, e.g. uptime, IPs
    • login # User logins, logouts, and system boots.
    • package # Installed, updated, and removed packages
    • process # Started and stopped processes
    • socket # Opened and closed sockets
    • user # User information

    How often datasets send state updates with the

    current state of the system (e.g. all currently

    running processes, all open sockets).

    state.period: 12h

    Enabled by default. Auditbeat will read password fields in

    /etc/passwd and /etc/shadow and store a hash locally to

    detect any changes.

    user.detect_password_changes: true

    File patterns of the login record files.

    login.wtmp_file_pattern: /var/log/wtmp*
    login.btmp_file_pattern: /var/log/btmp*


I get execute the YML using command:

./Auditbeat -e -c auditbeat.yml

--------------------------------------------Output---------------------------------------------

- WARN    [cfgwarn]       host/host.go:167        BETA: The system/host dataset is beta

-WARN    [cfgwarn]       process/process.go:131  BETA: The system/process dataset is beta

-INFO    instance/beat.go:402    auditbeat stopped.

-ERROR   instance/beat.go:916    Exiting: 1 error: 4 errors: the system/login dataset is only supported on Linux; the system/package dataset is not supported on Windows; the system/socket dataset is only supported on Linux; the system/user dataset is only supported on Linux Exiting: 1 error: 4 errors: the system/login dataset is only supported on Linux; the system/package dataset is not supported on Windows; the system/socket dataset is only supported on Linux; the system/user dataset is only supported on Linux.

I'm i doing something wrong or the login dataset is not supported or windows are the error message states?

Those would be in the windows event log, I think the default setup for winlogbeat would integrate those into the SIEM.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.