Winlogbeat y X+ Pack Autenticacion

Hola a todos!

Una consulta estoy utilizando Winlogbeat y ELK Stack para gestionar los eventos, funcionaba todo bien hasta que habilite X-pack, ahora cuando intento configurar en el archivo winlogbeat.yml la autenticación creo que es donde esta el problema, conecta a elasticsearch pero los eventos no son registrados e indexados y analizados en Kibana.

Alguna solución ?

Gracias desde ya.

Hola Israel, algunas preguntas:

  1. Podrias adjuntar la configuracion de elasticsearch y winlogbeat (borra los password antes)
  2. Que dicen los logs de Elasticsearch y Winlogbeat? (si hay un problema en los logs vas a encontrar errores)
  3. revisaste si las informaciones llegaron a Elasticsearch? has revisado con la _cat API si nuevos documentos llegan a los indices winlogbeat?

Hola Camilo,

Disculpa por la tardanza.

root@elkserver:/etc/elasticsearch# cat elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

#cluster.name: my-application

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

#node.name: node-1

Add custom attributes to the node:

#node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /var/lib/elasticsearch

Path to log files:

path.logs: /var/log/elasticsearch

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

#bootstrap.memory_lock: true

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

#network.host: 192.168.0.1

Set a custom port for HTTP:

#http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when this node is started:

The default list of hosts is ["127.0.0.1", "[::1]"]

#discovery.seed_hosts: ["host1", "host2"]

Bootstrap the cluster using an initial set of master-eligible nodes:

#cluster.initial_master_nodes: ["node-1", "node-2"]

For more information, consult the discovery and cluster formation module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

#gateway.recover_after_nodes: 3

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

#action.destructive_requires_name: true
xpack.security.enabled: true
root@elkserver:/etc/elasticsearch#

Winlogbeat

winlogbeat.event_logs:

  • name: Security
    ignore_older: 72h
    processors:
    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js
  • name: Microsoft-Windows-Sysmon/operational
    ignore_older: 72h
    processors:
    • script:
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
      output.logstash:
      hosts: ["192.168.204.128:5044"]

setup.template.settings:
index.number_of_shards: 3

Boolean flag to enable or disable the output module.

#enabled: true

Array of hosts to connect to.

Scheme and port can be left out and will be set to the default (http and 9200)

In case you specify and additional path, the scheme is required: http://localhost:9200/path

IPv6 addresses should always be defined as: https://[2001:db8::1]:9200

hosts: ["192.168.204.128:9200"]