Wazuh / opendistro winlogbeat problem

Open Source Elasticsearch and Kibana
1

Hello,

Please i have installed a Wazuh manager in one of my servers. Wazuh is integrated with open distro for elasticsearch.
Wazuh is working fine as a HIDS solution.
But when i try to test winlogbeat with the elasticsearch instance of Wazuh i get an error which says :
“Windows could not start the winlogbeat service on local computer. Error 1067 : The process terminated unexpectedly”
My winlogbeat.yml configuration is :

======================== Winlogbeat specific options =========================

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System

  • name: Security

  • name: ForwardedEvents
    tags: [forwarded]

  • name: Windows PowerShell
    event_id: 400, 403, 600, 800

  • name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106

====================== Elasticsearch template settings =======================

setup.template.settings:
index.number_of_shards: 1

================================= Dashboards =================================

setup.dashboards.enabled: true

=================================== Kibana ===================================

Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.

This requires a Kibana endpoint configuration.

setup.kibana:

Kibana Host

Scheme and port can be left out and will be set to the default (http and 5601)

In case you specify and additional path, the scheme is required: http://localhost:5601/path

IPv6 addresses should always be defined as: https://[2001:db8::1]:5601

host: “https://x.x.x.x
ssl.enabled: true

Kibana Space ID

ID of the Kibana Space into which the dashboards should be loaded. By default,

the Default Space will be used.

#space.id:

ssl.certificate_authorities:
- C:\Users\agent\Desktop\winlogbeatcerts\root-ca.pem
ssl.certificate: C:\Users\agent\Desktop\winlogbeatcerts\winlogbeat.pem
ssl.key: C:\Users\agent\Desktop\winlogbeatcerts\winlogbeat.key

---------------------------- Elasticsearch Output ----------------------------

output.elasticsearch:

Array of hosts to connect to.

hosts: [“x.x.x.x:9200”]

Protocol - either http (default) or https.

protocol: “https”
ssl.verification_mode: none

Authentication credentials - either API key or username/password.

#api_key: “id:api_key”
username: “admin”
password: “admin”

ssl.certificate_authorities:
- C:\Users\agent\Desktop\winlogbeatcerts\root-ca.pem
ssl.certificate: C:\Users\agent\Desktop\winlogbeatcerts\winlogbeat.pem
ssl.key: C:\Users\agent\Desktop\winlogbeatcerts\winlogbeat.key

setup.ilm.enabled: false
setup.ilm.check_exists: false

================================= Processors =================================

processors:

  • add_host_metadata:
    when.not.contains.tags: forwarded
  • add_cloud_metadata: ~

Thanks in advance for your help.