Help with Sending Windows Logs to Security Onion

[SankaGamage]

Hi everyone,

I have installed Forward, Search, Receiver, and Manager nodes in Security Onion, and all nodes are successfully connected to the Manager. Now, I want to collect Windows logs in Security Onion.

I have a few questions:

1. How can I send Windows logs to Security Onion?
2. Can I do it using the Elastic Agent available in the Manager web UI (Download tab)?
3. I installed Elastic Agent on my Windows machine and connected it to Security Onion, but I don’t see any logs. What could be the issue? I downloaded the agent from the web UI and installed it, but no logs are appearing.

This setup is for testing purposes, so if I made any mistakes, please guide me.

Thanks!

[Fox-E-1337]

Make sure you added the correct firewall rules to ingest the elastic agent data

[reyesj2]

If you installed the Agent you should see it appear in Elastic Fleet -> Agents. Make sure it shows up as healthy (not reporting any error with the install)

You can also check the elastic agent directly on the windows host, by running something like

C:\"Program Files"\Elastic\Agent\elastic-agent.exe status

[SankaGamage]

If you installed the Agent you should see it appear in Elastic Fleet -> Agents. Make sure it shows up as healthy (not reporting any error with the install)

You can also check the elastic agent directly on the windows host, by running something like

C:\"Program Files"\Elastic\Agent\elastic-agent.exe status

Thank you! The Elastic Agent is installed and working without any issues.

However, when I previously installed a distributed node, I could see logs not only from the agent but also from it). Now, after setting up the receiver, search, forward, and manager nodes, I am not seeing any logs.

Is there any special configuration or method required for this architecture to ensure all logs are properly collected and visible?

Any guidance would be greatly appreciated!