Question on populating SIEM dashboard with winlogbeat data and Logstash

Johan-p · September 30, 2020, 1:17pm

Hi everyone,

My company is setting up a Proof of Concept with Elastic SIEM.
Running an on-prem setup: 3 Elastic nodes in a cluster configuration with one Kibana server and one Logstash server.
While testing the SIEM dashboard we ran into the following.

When we input data using Logstash the index isn't automaticly created.
To fix this we create one manually, data seemed to come in so we checked the SIEM dashboard.
This seemed to behave in unexpected ways, for example the number of logins would grow exponentially showing 1.206 success while the actualy count is way lower (162).
Other fields wouldn't populate at all.

We eventually managed to get the dashboard working by cleaning everything up and directing the data directly into Elastic (skipping logstash) this automaticly created an index and all data shows up in the dashboard.

My question:
How do you configure logstash to handel winlogbeat files in such a way that my SIEM dashboard is showing all the data?

The logstash server is running a default configuration.
The node name is configured and the http api is enabled on localhost.

the config to forward the logs:

   beats {
   Port => 5044
 }
}

Output {
  Elasticsearch {
  Host => ["http://pocserver-es01:9200","http://pocserver-es02:9200","http://pocserver-es03:9200"]
  index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  user =>  "elastic"
  Password => "thepasswordforelastic"
 }
}

RylandHerrick · September 30, 2020, 4:14pm

Hi @Johan-p, welcome!

From what you've described, it seems likely that you've not configured your mappings for these winlogbeat indexes. While you can always manually create an index and define the mappings that SIEM supports, an index template will do both of those things for you.

Our guides should have detailed instructions on how to load a winlogbeat index template, but since winlogbeat is outputting to logstash you'll probably want to load the index template manually, ensuring that the template pattern matches your output index.

If you don't need your pre-template data, I would suggest deleting it to prevent conflicts, but if you want you can also reindex that data once the template has been applied.

I hope that helps! If I'm mistaken and you've already got an index template applied, then sharing your software versions, the mappings for that index, and some screenshots of the issues you're experiencing would help to further debug.

Cheers!

system · October 28, 2020, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat setup without direct access to elasticsearch/kibana Beats winlogbeat	3	712	March 14, 2022
Configure Winlogbeat to use Logstash and setup kibana dashboards at once Beats winlogbeat	6	38	September 11, 2024
No Index for winlogbeat-* Beats winlogbeat	2	1940	February 24, 2017
Beats and index naming Beats	22	1106	September 16, 2019
Logstash Output Dashboards SIEM	1	375	April 17, 2020

Question on populating SIEM dashboard with winlogbeat data and Logstash

Related topics