Uploading Event Logs

Marcos_Felix · July 5, 2018, 8:32am

Does anyone know how to upload Windows Event Logs to my Linux VM?

Christian_Dahlqvist · July 5, 2018, 10:07am

Have you had a look at Winlogbeat?

Marcos_Felix · July 5, 2018, 10:09am

Yes, had some issues - I reinstalled and this is my configuration file:
#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["IP:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

For some reason nothing is coming up in Kibana

Christian_Dahlqvist · July 5, 2018, 10:10am

What does your Logstash config look like?

Marcos_Felix · July 5, 2018, 10:17am

Is logstash-nginx.es.conf file meant to be in the /logstash/conf.d?
I have:
02-beats:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

10-syslog

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

30-elasticsearch

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

Christian_Dahlqvist · July 5, 2018, 10:20am

What do those config files look like?

Marcos_Felix · July 5, 2018, 10:21am

I just edited my last response

Christian_Dahlqvist · July 5, 2018, 10:24am

It seems you have SSL configured for the beats input but not for Winlogbeat. Can you try and disable SSL in the beats input to see if this allows data to flow? Is there anything in the Winlogbeat logs?

Marcos_Felix · July 5, 2018, 10:26am

I am taking it by disabling SSL you mean either delete or comment it out or do you mean set ssl => False?

Christian_Dahlqvist · July 5, 2018, 10:27am

Yes.

Marcos_Felix · July 5, 2018, 10:28am

So this is the config file now:

input {
  beats {
    port => 5044
   # ssl => true
   # ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
   # ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

There are no logs in the winlogbeat file. Last attempt I had at winlogbeats it had a log file, but now that I reinstalled everything, it doesnt create one.

Marcos_Felix · July 5, 2018, 11:00am

Do you happen to have any good tutorials for installing Beats in Linux so that I can forward Event Logs?
I have tried many but I always end up having to mix them otherwise it doesn't work.

Christian_Dahlqvist · July 5, 2018, 11:04am

Winlogbeat will need to run on a Windows box as it is Windows specific.

Marcos_Felix · July 5, 2018, 11:05am

I am running on a windows box.
I've been having issues forwarding these logs for days. Do you know any good tutorials out there for setting Beats up ?

Marcos_Felix · July 5, 2018, 12:18pm

Any clues to why it isnt producing a log file?

system · August 2, 2018, 12:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.