Winlogbeat has been replaced by Elastic Agent in 2.4. Documentation: docs.securityonion.net/en/2.4/elastic-agent.html#elastic-agent Video: ua-cam.com/video/cGmQMsFuAvw/v-deo.html If you have further questions or problems, please start a new discussion at securityonion.com/discuss
Is the IP you specified in the winlogbeat to forward your data too the MGMT interface IP of the security onion? Security Onion is not picking up the logs being forwarded to it by winlogbeat for me.
Yes, winlogbeat should send to the IP address of the management interface. Make sure that you have run so-allow to allow the traffic through the host-based firewall: docs.securityonion.net/en/2.3/so-allow.html If you have further questions or problems, please start a new discussion at: securityonion.net/discuss. Thanks!
@@security-onion The IP address of the management interface on which Node in a distributed architecture? The Manager Node or a Search Node. I'm guessing not on a forward node because forward nodes do not have Logstash.
I'm not upset. Just angry you got to it first lol. I was putting a paper and video together for all 3 of these together. Gj
Ha, thanks!
Great video
Thanks, glad you like it!
Thanks so much! I have host visibility now.
Happy hunting!
Thank you so much Mr. very detailed video
a question, how i create custom alerts ????
If you have questions or problems, please start a new discussion at securityonion.net/discuss
Hello, is Winlogbeat in 2.4.50 ?
Winlogbeat has been replaced by Elastic Agent in 2.4.
Documentation:
docs.securityonion.net/en/2.4/elastic-agent.html#elastic-agent
Video:
ua-cam.com/video/cGmQMsFuAvw/v-deo.html
If you have further questions or problems, please start a new discussion at securityonion.com/discuss
Is the IP you specified in the winlogbeat to forward your data too the MGMT interface IP of the security onion? Security Onion is not picking up the logs being forwarded to it by winlogbeat for me.
Yes, winlogbeat should send to the IP address of the management interface. Make sure that you have run so-allow to allow the traffic through the host-based firewall:
docs.securityonion.net/en/2.3/so-allow.html
If you have further questions or problems, please start a new discussion at:
securityonion.net/discuss.
Thanks!
@@security-onion The IP address of the management interface on which Node in a distributed architecture? The Manager Node or a Search Node. I'm guessing not on a forward node because forward nodes do not have Logstash.
If you have questions or problems, please start a new discussion at securityonion.net/discuss
Do you have to open the windows firewall? not getting the logs on the sec onion machine :( did everything like the video
If you have questions or problems, please start a new discussion at securityonion.net/discuss
You should have maximized your sysmon installation screen. Anyway it's Good One !!