Question about Environment & Tools

[tmp54]

Hello TA,

Just want to make sure something.

1. I want to deploy Elasticsearch in Docker on my machine directly, the VM is way too fat. In order to do so, I want to make sure that
   1. Does the Ubuntu VM only contain the deployed Elasticsearch?
   2. If so, did you add other configuration on it? Can I just docker-compose up the files in the elastic.zip?
2. Since you also provide us a Windows 10 VM, if my host machine is Windows 10 already, am I required to use the Windows 10 VM you provided? (Maybe you've configure something in the Windows 10 VM already?)

Thank you.

[dsnslab]

Hi @tmp54 ,

Glad to see you've started to work on the project!

1. To answer your questions: i. Yes, the Ubuntu VM only contains ELK. ii. Yes, you can docker-compose up the files in the elastic.zip. Kindly reminds you that virtual memory limit may need to be configured before docker-compose up. You may also encounter problems relating to port forwarding during setup. Kindly refer to the following references for possible solutions: Winlogbeat error connecting to Kibana, Kibana server is not ready yet.

2. No, you're not required to use the provided Windows VM. The reason for using a VM is to make it easier to distinguish between daily system logs and intended scenario logs. Note that the Windows Home version may not have some of the tools required to complete this project.

Should you have any more questions, feel free to contact us for further assistance :)

Best Regards, TAs

[tmp54]

Hello TAs,

After installing the most recent version of Winlogbeat, it seems that it's not compatible with the version of Kibana the docker-compose.yml installed.

Since you didn't mention the situation nor specify the version we should install. Are we allow to upgrade the Elasticsearch and Kibana or we must find the working version of those Beats plugins?

Thank you.

[dsnslab]

Please provide the error message or screenshots related to the compatibility issue so that we can have a closer look to the problem, thanks.

[tmp54]

Here is the output after executing .\winlogbeat.exe setup -e. The error message is Document "2dc6b820-b9e8-11e9-b6a2-c9b4015c4baf" has property "visualization" which belongs to a more recent version of Kibana (7.7.0).

It seems that either the version of Kibana is too low (7.6.1 is this case), or the version of Winlogbeat is too high (7.11.2). Thus, I'm asking that

Are we allow to upgrade the Elasticsearch and Kibana or we must find the working version of those Beats plugins?

Thanks.

[dsnslab]

Seems that you're using Elasticsearch output instead of Logstash output. In this project, your events should be send to Logstash directly (as stated in the slide).

You can follow the steps in this tutorial to configure Winlogbeat without Step 4 (.\winlogbeat.exe setup -e).

Step 4 is used to setup index template via CLI (which could be configured via web interface as well). However, you don't need to configure it in this project.

[crystal0523]

Hi TA, I would like to ask the question of environment: I used the VM released by TA, but it turned out that whenever I started up the Windows VM, the machine just kept lagging and restarting itself again and again. So I'm wondering if it's OK for me to install a Windows 10 VM by myself? Or there is some configuration already setted up in the one released by TA., thank you.

[dsnslab]

@crystal0523, please open a new issue for the question, thanks!