Beats
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/Beats.
We can use Elastic Beats to facilitate the shipping of endpoint logs to Security Onion on the Elastic Stack, Currently, testing has only been performed with Filebeat (multiple log types) and Winlogbeat (Windows Event logs).
To install a Beat, follow the instructions provided for the respective Beat, with the exception of loading the index template, as Security Onion uses its own template file to manage Beats fields.
Filebeat
https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation.html
Winlogbeat
https://www.elastic.co/guide/en/beats/winlogbeat/current/winlogbeat-installation.html
*If installing Filebeat on a Linux distribution, you will want to ensure that the service is started after a reboot. We can ensure this by running the following commands after install:
sudo update-rc.d filebeat defaults
sudo update-rc.d filebeat enable
To ensure a Beat is allowed to talk to Logstash on the Security Onion box, we need to run so-allow, and choose the b option for Beats. After choosing this option, simply provide the IP address of the machine on which the Beat is installed and press ENTER to confirm.
Windows: C:\\Program Files\Filebeat\filebeat.log
Linux: /var/log/filebeat/filebeat
C:\\Program Files\Winlogbeat\winlogbeat.log
Default fields: https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-eventlog.html
Beats data can be viewed via the Beats dashboard, (or through the selection of the *:logstash-beats-* index pattern in Discover) in Kibana.
If you access the Beats dashboard and see logs but the visualizations have errors, you may need to refresh the logstash-beats-* field list as follows:
- On the sidebar on the left, click
Management. - Click
Index Patterns. - Click
logstash-beats-*. - Click the circular arrows in the upper right to refresh the field list.
Beats communication with Elasticsearch/Logstash is not encrypted by default. If you require encryption, please consult the appropriate Elastic documentation to configure the use of TLS.
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs