Unable to Upload Winevt to Elastic Stack

scott_securit360 · September 25, 2023, 9:20pm

Hello!

I've recently enabled Security on my Elastic stack (7.17) using the documentation here.

I've completed up until the "Configure Beats security" section, as that is not needed in my environment.

I'm using the Burnham Forensics Powershell Script to upload winevt logs manually to Elasticsearch. I'm handling authentication using an API key I generated with the elastic system user. This is the current error I'm getting from the log the script generates:

2023-09-25T16:04:43.930-0500	ERROR	[publisher_pipeline_output]	pipeline/output.go:154	Failed to connect to 
backoff(elasticsearch(https://<elasticsearch_host>:9200)): 401 Unauthorized: 
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request 
[/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer 
realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST 
request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer 
realm=\"security\"","ApiKey"]}},"status":401}

Here is the WinLogBeat config for the script:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ['https://<elasticsearch_host>:9200']

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  api_key: "id:<api_key>"

Here is the Elasticsearch config:

# ---------------------------------- XPACK ------------------------------
xpack.security.enabled: true

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/http.p12
xpack.security.authc.api_key.enabled: true

Am I missing something here? I've followed the documentation and everything should work, so I'm not sure why it's erroring out.

system · October 23, 2023, 9:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.