Hey folks how are you? If you have read my blog about setting up a Security Operations Center lab using the ELK Stack you probably remember how I had a lot of trouble with SSL errors, permission denials and service crashes. That was my experience with the challenges of being on the blue team. This time things got even more difficult.
Because after setting everything up after feeling like I had finally succeeded. A big problem appeared.. No it was not another certificate error. This is the story of how I used Winlogbeat to connect to Elasticsearch. No logs showed up. This might sound like an issue but it really frustrated me and made me feel like I was back at the beginning.
The Victory Before the Storm
So here’s what happened:
After a week of working and debugging Elasticsearch, Kibana and SSL setups on my Kali virtual machine I decided to take the next step. Send logs from a Windows virtual machine using Winlogbeat.
The setup looked good:
* The ELK Stack was running without SSL for simplicity.
* Winlogbeat was installed on my Windows machine.
* The winlogbeat.yml file had the output settings pointing to my Kali machines IP address.
* I had enabled the Winlogbeat module.
My output.elasticsearch settings were:
hosts: [“http://192.168.1.6:9200"]
My setup.kibana settings were:
host: “http://192.168.1.6:5601"
I even ran the test command:
winlogbeat.exe test config -c winlogbeat.yml -e
Everything looked good. Then I started the Winlogbeat service.
Done.
I opened Kibana. There were no logs.
Nothing.
Not This Again…
At first I thought, “Maybe it is just taking time.” I. Refreshed the page but still there were no logs.
I checked Elasticsearch:
GET _cat/indices?v
There was no index for Winlogbeat.
Then it hit me: I had no idea where the problem was. Was it the connection, the configuration, the firewall or the module?
I remembered a quote from Thomas Edison:
“I have not failed I have just found 10,000 ways that will not work.”
I was not failing I was just finding ways that did not work.
Hard Truths from Harder Times
We did not solve the problem not yet.
The issue is still there hidden somewhere between configurations, permissions and maybe something deeper that I have not found yet. It is frustrating yes especially when everything seems right. It still does not work.
I am not giving up not when every attempt brings a new clue.
I have been restarting services reading logs line by line scanning forums and checking guides and I am still hitting walls. But this is part of it this is what real learning in the blue team world looks like.
I am writing this now not because everything is working. Because I am still trying to solve the problem. I am still troubleshooting, still experimenting and still determined to make this lab work.
This blog is not the end of the journey it is a checkpoint.
The work continues.
Lessons Learned (Again)
Just because the service started does not mean it is working check the logs.
The YAML configuration file is fragile one wrong indent can break everything without an error.
Backups are important for configuration files.
The setup command matters some tools will not function fully until you explicitly run the setup.
Confidence can be misleading what you think is done might just be the beginning of another issue.
Why This Matters
This kind of setup teaches you things that no online course or tutorial will ever teach you. It teaches you to slow down to read logs to think like a detective.
And yes it gets frustrating but let me tell you something:
This kind of knowledge nobody gives it to you you have to earn it with hours of silence, confusion and failed attempts.
I know one thing:
Most people give up here. I am not most people.
This struggle is mine. I am owning it.
This hands-on experience will set me apart from others who might only have knowledge or watch-and-forget experience.
Thanks, for reading.
If you are struggling with setting up your Security Operations Center lab feel free to reach out I have probably faced the same problems.
Let us grow, fail and succeed together.
#BlueTeam #SOC #Winlogbeat #ELKStack #CybersecurityJourney #LearningInPublic #TryHackMe
Broken Config, Unbroken Will was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.