No indices match pattern "powershell-*" and wmiprvse.exe about helk HOT 8 CLOSED

@WasKa001 thank you for the details. Regarding the powershell-* index. Did you set your endpoint to send PowerShell logs over to the HELK?? For example, this is the Winlogbeat config that I use in my lab: https://github.com/Cyb3rWard0g/HELK/blob/master/winlogbeat/winlogbeat.yml . Let me know if you are doing that already. if you are already doing that, can you just refresh your Kibana interface in your browser by typing the IP of your HELK and refreshing the page?? Sometimes there might be a delay for the logs to get to the HELK but the browser caches kibana results (i.e the warning message). Also, regarding wmiprvse.exe yes that could be normal. The Sysmon config provided in my blog post (https://gist.github.com/Cyb3rWard0g/136481552d8845e52962534d1a4b8664) is just a basic one to allow others to customize the way it is needed or wanted. Let me know if this is helpful and if I was able to help or answer your questions.

from helk.

Hey @WasKa001 I hope you had a good weekend. Let me know if you were able to take a look at the suggestions I shared. let me know if this could be closed or if you still need help. Thank you!

from helk.

@Cyb3rWard0g hi, sorry I didn't have a chance to check it yet. I am using .yml config file from your blog. I guess it's the same as the one you've posted above. I'll check once again later on today in the evening and will get back to you soon, thanks!

from helk.

@WasKa001 sounds good. no rush. The YML file is a good start but needs to be customized for your own need and use cases. Let me know if you were able to install the HELK without any issues 👍 Whenever you have a chance. Thank you

from helk.

@Cyb3rWard0g HELK installation is not the issue, I've installed it and everything is working properly apart from powershell-* section - "No indices match pattern "powershell-*"

Do I need to modify your YML to get this working? I used YML from your blog post about threat hunting lab. Thanks!

from helk.

ok so HELK installation is not the issue. Can you provide the link to the YML file? The one that I used for the threat hunting lab is not set up to pull PowerShell logs. The YML that you should use is this one: https://github.com/Cyb3rWard0g/HELK/blob/master/winlogbeat/winlogbeat.yml. Also, make sure you have enhanced PowerShell logging enabled: https://cyberwardog.blogspot.com/2017/06/enabling-enhanced-ps-logging-shipping.html . Let me know if this makes sense.

from helk.

@Cyb3rWard0g ok thank you, I will have a chance to test it out over the weekend. I will replace my config file with the above YML and will let you now. I also don't have currently Enhanced PowerShell logging enabled so I guess this is why I am getting the error related to powershell-* indices pattern match

from helk.

Sounds good @WasKa001. I will close this issue since it is a configuration happening at the client side and not in HELK. Feel free to reopen it or create a new one if the HELK fails at install or if any index does not work at all after you have all the data you need being sent to it. Thank you

from helk.