Incorporating WinLogBeat into SO

Travlin

unread,

Aug 24, 2018, 2:28:12 PM8/24/18

to security-onion

We are attempting to load index template and dashboards from WinLogbeat, which is located on our EventCollector. Into our SO Master which is currently 16.04.4.1. We have successfully ingested winlogbeat forwardedevent logs and are working on doing the same with sysmon as well.

The issue we are running into is when we try to upload dashboards from winlogbeat into SO master, the security onion instance actively refuses it.

I cannot figure it out but I feel like that the iptables for the elk containers is what does not have an allow rule in place to allow those changes to be made.

PS I am very new to SO and while most of the technical information is vague any and all help would be extremely grateful.

Thank You

Wes Lambert

unread,

Aug 25, 2018, 2:10:29 PM8/25/18

to securit...@googlegroups.com

Hi Travlin,

Could you provide an example of how Security Onion refuses the dashboard(s)?

Are you trying to upload these dashboards remotely?

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

Tom D'Andrea

unread,

Jan 22, 2019, 10:53:48 AM1/22/19

to security-onion

Having the same issue - figured I would use this thread. The error I am receiving:

PS C:\Program Files\winlogbeat> .\winlogbeat.exe setup --dashboards
Loading dashboards (Kibana must be running and reachable)
.\winlogbeat.exe : Exiting: fail to create the Kibana loader: Error creating Kibana client: Error creating Kibana client: fail to
get the Kibana version: HTTP GET request to /api/status fails: parsing kibana response: invalid character '<' looking for beginning
of value. Response: <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible"
content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <!-- The above 3 meta tags *must*
come first i... (truncated).
At line:1 char:1
+ .\winlogbeat.exe setup --dashboards
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Exiting: fail t..... (truncated).:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

Tom D'Andrea

unread,

Jan 22, 2019, 11:25:41 AM1/22/19

to security-onion

On Friday, August 24, 2018 at 1:28:12 PM UTC-5, Travlin wrote:

setup.kibana:

# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "https://10.20.30.40:443/app/kibana"
username: "xxxxxxxxxx"
password: "xxxxxxxxxx"
ssl.verification_mode: "none"

Wes Lambert

unread,

Jan 22, 2019, 5:11:43 PM1/22/19

to securit...@googlegroups.com

Hi Tom,

You shouldn't need to configure any dashboards or use the kibana config in the winlogbeat.yml file. You will instead want to edit the Logstash section to point your Security Onion box. You'll also want to make sure to run the so-allow command on the SO box to ensure that Winlogbeat is able to reach Logstash on port 5044.