hfariass commented 3 years ago

Hi Robert,

I've tried to run 'winlogbeat.exe setup' on Windows 10 & also tried running Filebeat on a Ubiquiti USG but in both instances I receive the following output: Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.xxx.xxx:9200: Get "https://192.168.xxx.xxx:9200": dial tcp 192.168.xxx.xxx9200: connectex: No connection could be made because the target machine actively refused it.] I've pointed the output.elasticsearch IP address to my HELK server and I'm still receiving this error. Is there a change to my elasticsearch config file on my HELK server that I need to do? Can you please assist? Any help would be greatly appreciated. Thank you.

hfariass commented 3 years ago

Here is the "elasticsearch.yml" config file. I've changed nothing in this file. The network host is set to accept all traffic.

---------------------------------- Network -----------------------------------

#

Set the bind address to a specific IP (IPv4 or IPv6):

#

network.host: localhost

network.host: ["localhost", "172.18.0.2"]

network.host: 0.0.0.0 #

Set a custom port for HTTP:

#

http.port: 9200

#

For more information, consult the network module documentation.

hfariass commented 3 years ago

I've added this to my script and commented out the Elasticsearch output portion of the Winlogbeat.yml file but I'm now receiving another error. `#-------------------------- Windows Logs To Collect ----------------------------- winlogbeat.event_logs:

name: Application ignore_older: 30m
name: Security ignore_older: 30m
name: System ignore_older: 30m
name: Microsoft-windows-sysmon/operational ignore_older: 30m
name: Microsoft-windows-PowerShell/Operational ignore_older: 30m event_id: 4103, 4104
name: Windows PowerShell event_id: 400,600 ignore_older: 30m
name: Microsoft-Windows-WMI-Activity/Operational event_id: 5857,5858,5859,5860,5861

----------------------------- Kafka output --------------------------------

output.kafka:

initial brokers for reading cluster metadata

Place your HELK IP(s) here (keep the port).

If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093

hosts: ["192.168.90.22:9092"] topic: "winlogbeat" ############################# HELK Optimizing Latency ###################### max_retries: 2 max_message_bytes: 1000000`

"Exiting: Index management requested but the Elasticsearch output is not configured/enabled"

Is there something I'm missing from my winlogbeat.yml config?

Cyb3rWard0g / HELK

No connection could be made because the target machine actively refused it. #566

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: localhost

network.host: ["localhost", "172.18.0.2"]

Set a custom port for HTTP:

http.port: 9200

For more information, consult the network module documentation.

----------------------------- Kafka output --------------------------------

initial brokers for reading cluster metadata

Place your HELK IP(s) here (keep the port).

If you only have one Kafka instance (default for HELK) then remove the 2nd IP that has port 9093