Winlogbeat logs only show that it is 6kb

Elastic Stack Beats
1

Hi, I am trying to get my Sysmon data to winlogbeat and then to security onion.

(unfortunatly, the sysmon.xml and winlogbeat.yml are too big to put here. I wish i could just attach them as files)

I am having two issues.
1 – the winlogbeat logs where being fed continually, but now it is only getting the initial service start data.
i might be mistaken , but i thought i saw these logs get full. It showed things like {"log.level":"error","@timestamp":"2023-02-08T 10:32:09.341-0800","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get "[http://localhost:9200](http://localhost:9200/)": dial tcp [::1]:9200: connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}

2 – I cannot seem to get my Sysmon data into security onion kibana. There are so many combinations of settings between Sysmon xml and winlogbeat.yml

2

Hi @iqworks , probably you could post this to Beats - Discuss the Elastic Stack and I believe this can be better answered.

3

That means winlogbeat can not connect to elasticsearch...

You have a connectivity issue...

Is elasticsearch running on the same server as winlogbeat?

Can you telnet or curl the elasticsearch endpoint?

You can anonymize them and put on pastebin or gist etc.

4

thanks stephenb and Chenhui_Wan for responding. are there any particular sections of winlogbeat or elasticsearch that you would like to look at? Ha, I thought this was the beats forum, I will post on beats as well. thx

5

I already fixed the tags...your fine

The output section on winlogbeat.yml would be the first thing

Can you answer these ^^^

6

I will try the telnet right now.

7

I see now why my logs only contain 6kb of data. When I looked at the Current winlogbeat service parms.

"D:\vm workstation\winlogbeat\winlogbeat.exe" --environment=windows_service -c "D:\vm workstation\winlogbeat\winlogbeat.yml" --path.home "D:\vm workstation\winlogbeat" --path.data "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true.

This is why all the log data went to the programdata folder and not my vm workstation folder.

I need to be sending my path.data and path.logs to "D:\vm workstation\winlogbeat" and not "C:\ProgramData\winlogbeat\logs". I am trying to google what the syntax is to changes these paths in my winlogbeat.yml?
So I have to look at the syntax for changing the #path.data: ${path.home}/data and the path.logs. Would you happen to know that off the top of your head?
I saw this
path.logs: /var/log/
path.logs: /var/data/
i think i need to do
d:/vm workstation/winlogbeat/var/log?
then /var/data? the Path.home looks like it is setup correctly.
thanks for your time stephan

8

I have to take some time to learn about
anonymize them and put on pastebin or gist etc. But thanks for the tip about the connection not working, I will look at that some more.

9

Hmm Curious are you confusing the logs that winlogbeat produces when it runs vs the logs you want winlog beat to harvest?

This is where winlogbeat send its own logs not the logs it reads and send to elastic.
-path.logs "C:\ProgramData\winlogbeat\logs"

Where winlogbeat reads logs and ships them to elastic is in the winlogbeat.yml or modules yml

Also did you get the telnet to work?

If you are new I would try a very basic example which you can follow with the quickstart guide

We often see folks following someones else post or blog etc that is out of date or wrong...

10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.