Host Visibility — Security Onion 2.3 documentation
***Modifying the Winlogbeat.yaml to work with the OSSysbeat.ps1 script to set up the shipping of host logs to Security Onion***
Right click and edit the winlogbeat.yaml file
Scroll down to the “winlogbeat.event_logs:” section
The bottom line of this section should read as follows:
name: Microsoft-Windows-Sysmon/Operational

Scroll down to the Elasticsearch section and comment out the host's line

Scroll down to the Logstash section and uncomment the “output.logstash:” line and the “hosts” line below it
Then, change the IP in the square brackets to be the IP address of our security onion sensor

Ctrl + S to save, close the file

by cpl adams