Distributed setup - winlogbeat target machine actively refused it

936 views
Skip to first unread message

Philip Robson

unread,
May 11, 2018, 5:13:11 AM5/11/18
to security-onion
Hi,

I have a new setup distributed setup, i have winlogbeat 6.2.4 installed on a Windows server, i have modified the winlogbeat.yml file, # out the elasticsearch and changed the logstash output to point at the master server, on the master allowed the Windows server with so-allow.

When i run .\winlogbeat test output i get:
dial up... ERROR dial tcp 192.168.99.251:5044: connectex: No connection could be made because the target machine actively refused it.

sostat states that logstash is running.

This is a fresh install using 14.04.5.11, i ran sudo soup on each machine before running the setup.

I have checked the logstash log and cannot see any obvious issues.

output.logstash:
# The Logstash hosts
hosts: ["192.168.99.251:5044"]

Any idea as to what i may have missed?

Thanks
Phil

Philip Robson

unread,
May 11, 2018, 6:41:20 AM5/11/18
to security-onion
I should add the Windows Server and SO setup are separated via Hardware firewall although i have the rule to allow from the server to master for tcp/5044 and can see hits against that and no drops in the firewall log.

i checked iptables and can see:
Chain DOCKER-USER (1 references)
target prot opt source destination
ACCEPT tcp -- windowsservername anywhere tcp dpt:5044
ACCEPT tcp -- windowsservername anywhere tcp dpt:5044
ACCEPT tcp -- windowsservername anywhere tcp dpt:5044

The master can resolve the windowsservername to the correct IP.

Also results of sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
aadca1efe5b9 securityonionsolutions/so-curator "/bin/bash" 2 weeks ago Up 2 weeks so-curator
1ab81114d733 securityonionsolutions/so-elastalert "/opt/start-elastale…" 2 weeks ago Up 2 weeks so-elastalert
b68ced9d563e securityonionsolutions/so-kibana "/bin/sh -c /usr/loc…" 2 weeks ago Up 2 weeks 127.0.0.1:5601->5601/tcp so-kibana
ec247c82ae39 securityonionsolutions/so-logstash "/usr/local/bin/dock…" 2 weeks ago Up 2 weeks 0.0.0.0:5044->5044/tcp, 0.0.0.0:6050-6053->6050-6053/tcp, 0.0.0.0:9600->9600/tcp so-logstash
229ff8a6c91d securityonionsolutions/so-elasticsearch "/bin/bash bin/es-do…" 2 weeks ago Up 2 weeks 127.0.0.1:9200->9200/tcp, 127.0.0.1:9300->9300/tcp so-elasticsearch
303e95c85a99 securityonionsolutions/so-domainstats "/bin/sh -c '/usr/bi…" 2 weeks ago Up 2 weeks 20000/tcp so-domainstats

Wes Lambert

unread,
May 14, 2018, 7:27:30 AM5/14/18
to securit...@googlegroups.com
Phil,

Have you tried manually testing the connection to the SO box, with some like netcat?  Have you tried checking to see if port 5044 is available locally on the SO box (nc -vz localhost 5044)?

Thanks,
Wes


--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.



--

Philip Robson

unread,
May 14, 2018, 9:19:14 AM5/14/18
to security-onion
Hi Wez,

If i try and telnet to port 5044 i get connection refused, here is the result of nc -vz localhost 5044
Connection to localhost 5044 port [tcp/*] succeeded!

I installed winlogbeat on a server in the same vlan as the master, allowed with so-allow, ran winlogbeat tets output and get the same error.

I tried winlogbeat test output to our internal SO server from a server that i didn't do the so-allow and get:

dial up... ERROR dial tcp x.x.x.x:5044: connectex: A connection attempt failed because the connected party did
not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Thanks
Phil

Philip Robson

unread,
May 14, 2018, 10:07:09 AM5/14/18
to security-onion
Hi Wez,

From the master telnet to its self to 5044 fails 'Connection closed by foreign host' On our standalone SO server the same test connects.

Should be sending winlogbeats to the master? I have one forward node > Master > 2 storage nodes.

Thanks
Phil

Wes Lambert

unread,
May 15, 2018, 8:21:43 AM5/15/18
to securit...@googlegroups.com
Hi Phil,

Please try the following on the master (tailing the log file until "...Pipelines running..."), then retry your test(s):

sudo ln -sf ../conf.d.available/0006_input_beats.conf /etc/logstash/conf.d.redis.output/0006_input_beats.conf
sudo docker stop so-logstash && sudo so-logstash-start && sudo tail -f /var/log/logstash/logstash.log

Thanks,
Wes


Thanks
Phil

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onion+unsubscribe@googlegroups.com.
To post to this group, send email to security-onion@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

Philip Robson

unread,
May 15, 2018, 8:33:53 AM5/15/18
to security-onion
Hi Wez,

That has worked a treat, all up and running now.

Many thanks
Phil

Reply all
Reply to author
Forward
0 new messages