Beats

We can use Elastic Beats to facilitate the shipping of endpoint logs to Security Onion’s Elastic Stack. Currently, testing has only been performed with Filebeat (multiple log types) and Winlogbeat (Windows Event logs).

Note

In order to receive logs from Beats, Security Onion must be running Logstash. Evaluation Mode and Import Mode do not run Logstash, so you’ll need Standalone or a full Distributed Deployment.

Encryption

Warning

Beats communication with Logstash is not encrypted by default. If you require encryption, please consult the appropriate Elastic documentation to configure the use of TLS.

so-allow

Run sudo so-allow and select the b option to allow your Beats agents to send their logs to Logstash port 5044/tcp.

Winlogbeat

Navigate to the Downloads page in Security Onion Console (SOC) and download the linked Winlogbeat agent. This will ensure that you get the correct version of Winlogbeat for your Elastic version. Please note that the hyperlink simply points to the standard Winlogbeat download from the Elastic site.

Install Winlogbeat and copy winlogbeat.example.yml to winlogbeat.yml if necessary. Then configure winlogbeat.yml as follows:

  • Disable the Elasticsearch output.
  • Make sure that Winlogbeat is NOT configured to load dashboards into Kibana.
  • Enable the logstash output and configure it to send logs to port 5044 on your management node.
  • If you are shipping Sysmon logs, confirm that your Winlogbeat configuration does NOT use the Elastic Sysmon module as Security Onion will do all the necessary parsing.

Installation

To install a Beat, follow the instructions provided for the respective Beat, with the exception of loading the index template, as Security Onion uses its own template file to manage Beats fields.

Filebeat

https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation.html

Winlogbeat

https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html

If installing Filebeat on a Linux distribution, you will want to ensure that the service is started after a reboot. We can ensure this by running the following commands after install:

sudo update-rc.d filebeat defaults

sudo update-rc.d filebeat enable

Log files

Filebeat

Windows: C:\Program Files\Filebeat\filebeat.log

Linux: /var/log/filebeat/filebeat

Winlogbeat

C:\Program Files\Winlogbeat\winlogbeat.log

Default fields: https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-eventlog.html

Data

In Kibana, you can find Beats data on the Host dashboard or by searching for _index:"*:so-beats-*" in Discover.

In Hunt, you can find Beats data by searching for _index:"*:so-beats-*".