search

Security-Onion-Solutions / security-onion

Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
https://securityonion.net
3.06k stars 519 forks source link

LOGSTASH_MINIMAL doesn't include Beat config #1751

Closed dougburks closed 4 years ago

dougburks commented 4 years ago

Reference https://groups.google.com/d/topic/security-onion/5EuT6KpJ-6c/discussion

Problem We recently changed Setup so that new Production Mode deployments are set to LOGSTASH_MINIMAL by default (https://github.com/Security-Onion-Solutions/security-onion/issues/1732). LOGSTASH_MINIMAL is a minimal Logstash config that does not include Beat config.

Quick Fix A standalone box (Production Mode, New Deployment, store logs locally without storage nodes) would need input, parsing, and output:

sudo ln -s ../conf.d.available/0006_input_beats.conf /etc/logstash/conf.d.minimal/0006_input_beats.conf
sudo ln -s ../conf.d.available/6600_winlogbeat_sysmon.conf /etc/logstash/conf.d.minimal/6600_winlogbeat_sysmon.conf
sudo ln -s ../conf.d.available/6700_winlogbeat.conf /etc/logstash/conf.d.minimal/6700_winlogbeat.conf
sudo ln -s ../conf.d.available/9500_output_beats.conf /etc/logstash/conf.d.minimal/9500_output_beats.conf
sudo so-logstash-restart

In the case of a distributed deployment (master server with separate storage nodes), the master server should be running conf.d.redis.output and that already has 0006_input_beats.conf. Storage nodes would need the parsing and output.

Permanent Fix We should create an Elasticsearch ingest version of 6600_winlogbeat_sysmon.conf and 6700_winlogbeat.conf. The LOGSTASH_MINIMAL section of so-logstash-start could then include 0006_input_beats.conf and 9500_output_beats.conf and remove 6600_winlogbeat_sysmon.conf and 6700_winlogbeat.conf if necessary.

dougburks commented 4 years ago

Published: https://blog.securityonion.net/2020/04/elastic-688-now-available-for-security.html