WinLogBeat and Windows Server 2019
187 views
Skip to first unread message
Branden Stephens
Feb 11, 2021, 2:49:30 PM2/11/21
to security-onion
Anyone try, and have luck, with getting WinLogBeat 6.8.13 to work on Windows Server 2019? I know that Elastic's documentation states that for compatibility with Windows Server 2019 it should be a minimum of WinLogBeat 7.4, but we are currently running LogStash 6.7.2 and again according to their documentation needs to be WinLogBeat 6.8 or lower. I'm working on getting our 2 SO server upgraded to 2.3.21, but have run into issues with this as well that I am trying to work through without affecting production. I have WinLogBeat 6.8.13 installed on Windows Server 2019 using a known-good config from our production Windows Server 2016 server. When I first start the WinLogBeat service it floods our SO server with thousands of events, but gradually slows down until the events just trickle in. Events do continue to be forwarded from WinLogBeat, but very, VERY slowly. Just wondering if anyone has experienced this and found a workaround?
Thanks,
Branden
Doug Burks
Feb 12, 2021, 3:08:30 PM2/12/21
to securit...@googlegroups.com
If you're able to run soup, then you can upgrade your 16.04 deployment to Elastic 7.9.3 which will allow you to run Winlogbeat 7.9.3:
--
Please keep in mind that Security Onion 16.04 reaches End Of Life soon!
https://blog.securityonion.net/2020/10/6-month-eol-notice-for-security-onion.html
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/e4a64f37-ce3a-4568-bad9-70f012bf4f80n%40googlegroups.com.
Doug Burks
Founder and CEO
Security Onion Solutions, LLC
Founder and CEO
Security Onion Solutions, LLC
Branden Stephens
Feb 15, 2021, 10:03:02 AM2/15/21
to security-onion
SOUP honestly makes me a little nervous. When I initially deployed these SO servers a couple years ago I had to rebuild them several times because running SOUP would break the installation every time. Now that we have them in production and have data on them, it makes me a little more nervous to run. However, it may be the only/easiest option I have at this point as I have also been having issues getting the SO 2.3.21 ISO to boot on hardware that I had planned to use as a temporary install to house logs while I rebuilt the production hardware. I keep getting MOK errors with the SO 2.3.21 ISO on multiple hardware platforms which has made the upgrade process more complicated. I don't suppose you have any advice on that one?
Thanks,
Branden
Doug Burks
Feb 16, 2021, 10:46:34 AM2/16/21
to securit...@googlegroups.com
soup shouldn't break anything. If you have concerns about this, you could create a test system in a VM that closely matches your production system and then test the upgrade there.
If you have questions or problems relating to Security Onion 2, please use the Security Onion 2 discussion site:
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/db313ec9-4ab3-4947-98dc-11db45b05824n%40googlegroups.com.
Branden Stephens
Feb 16, 2021, 12:32:26 PM2/16/21
to security-onion
Well... "shouldn't" was the operative word. As an organization we needed to make progress toward getting our logging back, and since I had been hitting roadblocks with the other methods, I decided to go ahead and try running SOUP yesterday. My fear came true. Kibana and Elastalert no longer start. I have a day or two to troubleshoot before I can get back into the office at which point I will likely be trying to reload the server with SO 2.3.21. So far the Kibana and Elastalert logs haven't yielded anything that have led me to a resolution.
Branden
Doug Burks
Feb 17, 2021, 12:37:10 PM2/17/21
to securit...@googlegroups.com
Have you checked the following section of the documentation to see if your Kibana issue may be related?
Were there any errors when you ran soup?
Are you able to provide sostat-redacted output?
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/db3d6718-98b8-4400-9d4d-d0cfd7e0ea0fn%40googlegroups.com.
Branden Stephens
Feb 17, 2021, 2:57:31 PM2/17/21
to security-onion
Already have the server onto 2.3.21. In the process of getting things set back up. If I run into issues I will start a new thread on that forum.
Thanks for the help Doug!
Branden
Reply all
Reply to author
Forward
0 new messages