Hi everyone,
My company is setting up a Proof of Concept with Elastic SIEM.
Running an on-prem setup: 3 Elastic nodes in a cluster configuration with one Kibana server and one Logstash server.
While testing the SIEM dashboard we ran into the following.
When we input data using Logstash the index isn't automaticly created.
To fix this we create one manually, data seemed to come in so we checked the SIEM dashboard.
This seemed to behave in unexpected ways, for example the number of logins would grow exponentially showing 1.206 success while the actualy count is way lower (162).
Other fields wouldn't populate at all.
We eventually managed to get the dashboard working by cleaning everything up and directing the data directly into Elastic (skipping logstash) this automaticly created an index and all data shows up in the dashboard.
My question:
How do you configure logstash to handel winlogbeat files in such a way that my SIEM dashboard is showing all the data?
The logstash server is running a default configuration.
The node name is configured and the http api is enabled on localhost.
the config to forward the logs:
beats {
Port => 5044
}
}
Output {
Elasticsearch {
Host => ["http://pocserver-es01:9200","http://pocserver-es02:9200","http://pocserver-es03:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "elastic"
Password => "thepasswordforelastic"
}
}