Beat Support?

[EddieN17]

Does 2.4 support beats? I'm using version 2.4.2 and I've tried configuring a winlogbeat agent to send to my 2.4 instance, but logs aren't appearing in S.O. I've allowed the IP addresses in the SOC firewall config under the proper beats_endpoint. I've tried sending the logs to both the manager and a forward node and no prevail. The connection isn't being blocked by my network firewall, it's seems to be the SO client firewall blocking it still. docker ps shows that logstash is listening on 5044/tcp. iptables -L shows the IP address and port is accepted under the "Chain DOCKER-USER".

tcpdump from my S.O. box shows traffic touching it IP 10.xx.xx.xx.21517 > 172.xx.xx.xx.lxi-evntsvc: Flags [S], seq 1155763579, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0.

Endpoint shows error of connectex: No connection could be made because the target machine actively refused it.","service.name":"winlogbeat","ecs.version":"1.6.0"}

While looking at the logstash configurations it appears there's no beats pipelines, which makes me question if it's even supported. I know Elastic Agent is the new focus, but my environment has over two thousand endpoints that we actively monitor, with an existing winlogbeat infrastructure on SO 2.3 that sends only a couple different event logs. Winlogbeats just make more sense as I have different logging requirements for different sections of endpoints (which are already separated in AD, so software deploys with different configs are fairly easy) and with that many endpoints I need to limit unnecessary noise because of hardware limits. Having to subsection fleet agent policies would make it more complicated, so I'd hate to see beat direct support gone.

[dougburks]

Elastic Agent is the only officially supported endpoint agent for 2.4:
https://docs.securityonion.net/en/2.4/host.html

You may be able to make beats work, but it is untested and unsupported.

I believe the Windows version of the Elastic Agent actually uses winlogbeat under the hood, so you may be able to use it similarly to how you're using winlogbeat today.