Uploading Event Logs


(Marcos Felix) #1

Does anyone know how to upload Windows Event Logs to my Linux VM?


(Christian Dahlqvist) #2

Have you had a look at Winlogbeat?


(Marcos Felix) #3

Yes, had some issues - I reinstalled and this is my configuration file:
#======================= Winlogbeat specific options ==========================

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["IP:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

For some reason nothing is coming up in Kibana


(Christian Dahlqvist) #4

What does your Logstash config look like?


(Marcos Felix) #5

Is logstash-nginx.es.conf file meant to be in the /logstash/conf.d?
I have:
02-beats:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

10-syslog

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    syslog_pri { }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

30-elasticsearch

output {
  elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

(Christian Dahlqvist) #6

What do those config files look like?


(Marcos Felix) #7

I just edited my last response


(Christian Dahlqvist) #8

It seems you have SSL configured for the beats input but not for Winlogbeat. Can you try and disable SSL in the beats input to see if this allows data to flow? Is there anything in the Winlogbeat logs?


(Marcos Felix) #9

I am taking it by disabling SSL you mean either delete or comment it out or do you mean set ssl => False?


(Christian Dahlqvist) #10

Yes.


(Marcos Felix) #11

So this is the config file now:

input {
  beats {
    port => 5044
   # ssl => true
   # ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
   # ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
  }
}

There are no logs in the winlogbeat file. Last attempt I had at winlogbeats it had a log file, but now that I reinstalled everything, it doesnt create one.


(Marcos Felix) #12

Do you happen to have any good tutorials for installing Beats in Linux so that I can forward Event Logs?
I have tried many but I always end up having to mix them otherwise it doesn't work.


(Christian Dahlqvist) #13

Winlogbeat will need to run on a Windows box as it is Windows specific.


(Marcos Felix) #14

I am running on a windows box.
I've been having issues forwarding these logs for days. Do you know any good tutorials out there for setting Beats up ?


(Marcos Felix) #15

Any clues to why it isnt producing a log file?


(system) #16

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.