Hi, I am back from my other project. I made a new forum post ( I am using the Sysmon-> logstash -> elasticsearch (ELK) architecture issues ), but realized that I already had a post about my sysmon data not getting to kibana, sorry a bout that.
But I continue with THIS thread.
So, after re-reading replies to this post, I decided to
just focus on sysmon to logstash to elasticsearch. When I lined up the IP addresses to use
This is what I have :
winlogbeat - I am using logstash output, enabled with a hosts: ["192.168.1.120:5044"].
elasticsearch.yml - network.hosts: ["192.168.1.120:9200"].
Is there another place I need to put this IP address?
(I changed this IP to .216 which is my SOC IP, still nothing)
logstash - creates its own pipes?
I tried to test sysmon to kibana by creating a mspaint instance process in sysmon. I looked for it in kibana, elastic sysmon logs and it says 0.
This might be a clue, but 192.168.1.120 does not ping? But data gets into kibana from my IPv4 and SOC IP?
I saw a video that mentioned useing so-allow to enter an IP address and then going into the winlogbeat and entering that same IP address, and they called it a sensor? Where is the sensor?
Maybe I am not including the right sysmon includes or excludes, But I only changed two :
ImageLoad onmatch="include" and
ProcessAccess onmatch="include"
Niether of which have any rules.
thanks again for any help or advice.