oh I see, so just the output.elasticsearch suffices so that winlogbeat can send it there?
I think my issue might be an IP address thing. as a novice, i can see why I am confused about that.
But, no matter, I get back to my other project tommorrow. When I get back I will reread his post and start from scratch by reinstalling winlogbeat and elasticsearch, i think sysmon is ok.
thanks Stephen and jba for your advice and suggestions
Just a small point about old-fashioned IP version 4 Private and Public IP-addresses. Public IP-addresses are the IP-addresses that you will use for stuff that needs to talk to the big, big Internet. Private IP-addresses will never (unless someone at an Internet provider makes a big error) be valid out on the Internet. All Internet providers should do their best to block them, and should never allow traffic using those addresses to go on the Internet. So private IP-addresses are actually very secure.
And what are those Private IP-addresses? IBM says this: IBM Documentation
Of course there are ways if you a server, a web-server, on your internal private network to become reachable and visible on the Internet, but that requires you to configure your local (WiFi) router to do what is called NAT - Network Address Translation - where it will translate a given internal IP-address to something that is valid on the Internet. But it does not happen by accident.
excellent Jan !
Hi, I am back from my other project. I made a new forum post ( I am using the Sysmon-> logstash -> elasticsearch (ELK) architecture issues ), but realized that I already had a post about my sysmon data not getting to kibana, sorry a bout that.
But I continue with THIS thread.
So, after re-reading replies to this post, I decided to
just focus on sysmon to logstash to elasticsearch. When I lined up the IP addresses to use
This is what I have :
winlogbeat - I am using logstash output, enabled with a hosts: ["192.168.1.120:5044"].
elasticsearch.yml - network.hosts: ["192.168.1.120:9200"].
Is there another place I need to put this IP address?
(I changed this IP to .216 which is my SOC IP, still nothing)
logstash - creates its own pipes?
I tried to test sysmon to kibana by creating a mspaint instance process in sysmon. I looked for it in kibana, elastic sysmon logs and it says 0.
This might be a clue, but 192.168.1.120 does not ping? But data gets into kibana from my IPv4 and SOC IP?
I saw a video that mentioned useing so-allow to enter an IP address and then going into the winlogbeat and entering that same IP address, and they called it a sensor? Where is the sensor?
Maybe I am not including the right sysmon includes or excludes, But I only changed two :
ImageLoad onmatch="include" and
ProcessAccess onmatch="include"
Niether of which have any rules.
thanks again for any help or advice.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.