How to restart logstash service

[Blason R]

Hi Guys,

If I change it to docker and go to /etc/logstash/conf.d and change the certain parameters wondering how do I restart logstash service to make those changes live? do I need to restart logstash-docker? or any other way?

Plus Ingesting wazuh logs how do I ingest sysmon logs through Wazuh in SO? I know with Wazuh instance on ELK but I am not able to ingest Sysmon logs thorugh Wazuh in SO.

Please help.

[Dustin Lee]

Hi! If you create (or alter) a custom configuration file for Logstash, you'll want to ensure it's placed in '/etc/logstash/custom' so it will be copied over to '/etc/logstash/conf.d/' upon restart. Run 'sudo so-logstash-restart' to then restart the Logstash Docker container. More information can be found here: https://securityonion.readthedocs.io/en/latest/logstash.html#parsing

If you're already ingesting Wazuh logs from your endpoints into SO and want to add Sysmon logging once you've confirmed the Operational log found under Applications and Services Logs => Microsoft => Windows => Sysmon exists in Event Viewer, you need to add the following to the ossec.conf on the Windows hosts:

<localfile>

  <location>Microsoft-Windows-Sysmon/Operational</location>

  <log_format>eventchannel</log_format>

</localfile>

Be sure to restart the Wazuh agent on the endpoint afterward. Further information may be found the Wazuh blog here: https://wazuh.com/blog/using-wazuh-to-monitor-sysmon-events/

Please keep in mind there have been very recent updates to the Wazuh and Sysmon configuration files in Security Onion's Logstash pipeline to parse newer log formatting. This should apply to Wazuh agent versions >= 3.8 on Windows. You may need to run 'sudo soup' to get the latest versions of those files: https://github.com/Security-Onion-Solutions/security-onion/issues/1469, This update will allow proper parsing of Sysmon logs and render them correctly within SO's Sysmon dashboard. 

Hope this helps!

- Dustin

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/34f47df8-85b3-4a7c-9d6d-cdf5288bbb81%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Blason R]

Awesome man!! Thanks so much.

By the way lil confusion so-logstash-restart and then I need to restart docker container as well or just logstash-restart is fine?

You received this message because you are subscribed to a topic in the Google Groups "security-onion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/security-onion/UB-l885_fp4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to security-onio...@googlegroups.com.

To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CALFLVbruLMaJ3FTT59vzqYBPB5T0U2VW%2Byjtp1N74rmDwsGRPg%40mail.gmail.com.

[Dustin Lee]

You're welcome! 'sudo so-logstash-restart' restarts the container. It actually does a few different things, but the main parts are docker stop so-logstash, docker rm so-logstash, and then docker run.

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CAPPXLT_vdmyN-3sCJUY2g-DL3me8AA%2By3%2BX%3DzjiJq8sqsTB%3DNA%40mail.gmail.com.