This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 95%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EII%3C/text%3E%3C/svg%3E)
Hi, I finally got windows data into security onion. But I dont see sysmon categories?
But I do show windows_events?
are windows_eventlogs the same as sysmon maybe? not sure.
thanks for any suggestions or advice
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Thanks Rich, great link. It looks like this link is used when you want to run kibana on windows as a standalone, elasticsearch on windows and sysmon.
The thing is that I am using security onion where kibana, logstash and elasticsearch are installed on my VM. In this particular case, I am using sysmon to send data to logstash (on the VM) which then sends it to elasticsearch which sends it to kibana.
I do get data that looks like it is comming from sysmon, but the module in kibana shows windows_eventlogs. I just wonder if the name of the module sysmon has been replaced with the module name windows_eventlogs, or, is windows_eventlogs comming from somewhere else in windows?
thanks for your the link, very interesting.
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Comments have been turned off. Learn more
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 54%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMM%3C/text%3E%3C/svg%3E)
test again for this situation
thanks for the replies. I forgot to add the access IP address:
iqworks 20230425 - do not comment out setup.kibana
setup.kibana:
Â
Kibana Host
Scheme and port can be left out and will be set to the default (http and 5601)
In case you specify and additional path, the scheme is required: http://localhost:5601/path
IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "292.168.1.216:5601"
Thanks for your replies. I forgot to do this:
setup.kibana:
**
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 80%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAW%3C/text%3E%3C/svg%3E)
Can you expand what you forgot?
sorry, that is not the complete message, dont know what happened. This is the important part:
*host: "292.168.1.216:5601"*
iqworks 20230425 - do not comment out setup.kibana
setup.kibana:
Kibana Host
Scheme and port can be left out and will be set to the default (http and 5601)
In case you specify and additional path, the scheme is required: http://localhost:5601/path
IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
*host: "292.168.1.216:5601"*