Winlogbeat on Windows 7 and Security Onion 2.4

[vanh20]

Hello Everyone!

I am trying to send Syslog+Winlogbet logs to Security Onion Standalone over Logstash. I can't upgrade my windows 7 machine for now, thus I can't install the Elastic-agent (not supported). Winlogbeat v7.16.3... properly configured and is sending logs to Security Onion. Prior to this problem, I have connectivity issues, and was able to fix that via SOC Firewall beats_endpoint/beat_5044. Role was also unchanged. So it began sending logs and is received by Sec On. However, logs still won't reflect on Hunt dashboards.. though zeek was able to get everything. I checked logstash.log and the following was returned. For the sake of brevity, I will just post one line, they are all similar anyway:

[2025-10-29T08:25:10,276][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.dns"}, {"message"=>...}, :response=>{"create"=>{"status"=>400, "error"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["...", "if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ", " ^---- HERE"], "script"=>"def ips = []; for (item in ctx.dns.answers.name) { if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ips.add(item); } } ctx.dns.resolved_ip = ips;", "lang"=>"painless", "position"=>{"offset"=>100, "start"=>51, "end"=>146}, "caused_by"=>{"type"=>"circuit_breaking_exception", "reason"=>"[scripting] Regular expression considered too many characters, pattern: [...], limit factor: [6], char limit: [108], count: [109], wrapped: [2600:1901:0:38d7::], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting", "bytes_wanted"=>0, "bytes_limit"=>0, "durability"=>"TRANSIENT"}}}}}

What I have done, I have modified /opt/so/saltstack/local/pillar/global/soc_global.sls to accomodate bigger regex limit:

elasticsearch: config: script.painless.regex.limit-factor: 20

And this was that log:

[2025-10-29T08:25:10,276][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["create", {:_id=>nil, :_index=>"logs-zeek-so", :routing=>nil, :pipeline=>"zeek.dns"}, {"container"=>{"id"=>"dns.log"}, "message"=>"{\"ts\":<hash_1>.22466,\"uid\":\"CCdQuo3iEj3s6fXs2h\",\"id.orig_h\":\"ip_address_1\",\"id.orig_p\":59701,\"id.resp_h\":\"ip_address_2\",\"id.resp_p\":53,\"proto\":\"udp\",\"trans_id\":26922,\"rtt\":0.<hash_2>,\"query\":\"prod.detectportal.prod.cloudops.mozgcp.net\",\"qclass\":1,\"qclass_name\":\"C_INTERNET\",\"qtype\":28,\"qtype_name\":\"AAAA\",\"rcode\":0,\"rcode_name\":\"NOERROR\",\"AA\":false,\"TC\":false,\"RD\":true,\"RA\":true,\"Z\":0,\"answers\":[\"2600:1901:0:38d7::\"],\"TTLs\":[1800.0],\"rejected\":false}", "event"=>{"category"=>"network", "dataset"=>"zeek", "module"=>"zeek"}, "metadata"=>{"type"=>"_doc", "pipeline"=>"zeek.dns", "input"=>{"beats"=>{"host"=>{"ip"=>"ip_address_3"}}}, "version"=>"8.18.4", "beat"=>"filebeat", "input_id"=>"logfile-logs-zeek-logs", "raw_index"=>"logs-zeek-so", "stream_id"=>"logfile-log.logs-zeek-logs"}, "elastic_agent"=>{"snapshot"=>false, "id"=>"<hash_3>-d306-4c8f-b636-<hash_4>", "version"=>"8.18.4"}, "tags"=>["elastic-agent", "input-security_onion_ip", "beats_input_codec_plain_applied"], "host"=>{"architecture"=>"x86_64", "id"=>"<hash_5>", "containerized"=>false, "hostname"=>"security_onion_ip", "name"=>"security_onion_ip", "ip"=>["ip_address_4", "fe80::210:18ff:fe5f:6315", "ip_address_3", "ip_address_5"], "os"=>{"type"=>"linux", "platform"=>"ol", "version"=>"9.6", "kernel"=>"5.15.0-ip_address_6.el9uek.x86_64", "name"=>"Oracle Linux Server", "family"=>"redhat"}, "mac"=>["mac_id_1", "mac_id_2", "mac_id_3", "mac_id_4", "mac_id_5", "mac_id_6", "mac_id_7", "mac_id_8", "mac_id_9", "mac_id_10", "mac_id_11", "mac_id_12", "mac_id_13", "mac_id_14", "mac_id_15", "mac_id_16", "mac_id_17", "mac_id_18", "mac_id_19", "mac_id_20", "mac_id_21", "mac_id_22", "mac_id_23"]}, "log"=>{"file"=>{"path"=>"/nsm/zeek/logs/current/dns.log"}, "offset"=>244491}, "data_stream"=>{"type"=>"logs", "namespace"=>"so", "dataset"=>"zeek"}, "type"=>"redis-input", "input"=>{"type"=>"log"}, "@timestamp"=>2025-10-29T08:25:00.979Z, "@version"=>"1", "agent"=>{"type"=>"filebeat", "id"=>"<hash_3>-d306-4c8f-b636-<hash_4>", "name"=>"security_onion_ip", "version"=>"8.18.4", "ephemeral_id"=>"<hash_6>-c634-4328-be45-<hash_7>"}, "ecs"=>{"version"=>"8.0.0"}, "pipeline"=>"dns"}], :response=>{"create"=>{"status"=>400, "error"=>{"type"=>"script_exception", "reason"=>"runtime error", "script_stack"=>["java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4503)", "java.base/java.util.regex.Pattern$Loop.match(Pattern.java:5076)", "java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:5001)", "java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4510)", "java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4510)", "java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4970)", "java.base/java.util.regex.Pattern$Loop.match(Pattern.java:5079)", "java.base/java.util.regex.Pattern$GroupTail.match(Pattern.java:5001)", "java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4510)", "java.base/java.util.regex.Pattern$BmpCharPropertyGreedy.match(Pattern.java:4510)", "java.base/java.util.regex.Pattern$GroupHead.match(Pattern.java:4970)", "java.base/java.util.regex.Pattern$Loop.matchInit(Pattern.java:5101)", "java.base/java.util.regex.Pattern$Prolog.match(Pattern.java:5025)", "java.base/java.util.regex.Pattern$Begin.match(Pattern.java:3852)", "java.base/java.util.regex.Matcher.search(Matcher.java:1765)", "java.base/java.util.regex.Matcher.find(Matcher.java:785)", "if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ", " ^---- HERE"], "script"=>"def ips = []; for (item in ctx.dns.answers.name) { if (item =~ /^(?:[0-9]{1,3}\\.){3}[0-9]{1,3}$/ || item =~ /^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$/) { ips.add(item); } } ctx.dns.resolved_ip = ips;", "lang"=>"painless", "position"=>{"offset"=>100, "start"=>51, "end"=>146}, "caused_by"=>{"type"=>"circuit_breaking_exception", "reason"=>"[scripting] Regular expression considered too many characters, pattern: [^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$], limit factor: [6], char limit: [108], count: [109], wrapped: [2600:1901:0:38d7::], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting", "bytes_wanted"=>0, "bytes_limit"=>0, "durability"=>"TRANSIENT"}}}}}

Which appeared to have corrected it. Now, I am presented with that error log above. Can anyone point me in the right direction here?

TIA

[cm-ops]

circuit_breaking_exception", "reason"=>"[scripting] Regular expression considered too many characters

The above appears to be the issue.

reason"=>"[scripting] Regular expression considered too many characters, pattern: [^([a-fA-F0-9:]+:+)+[a-fA-F0-9]+$], limit factor: [6], char limit: [108], count: [109], wrapped: [2600:1901:0:38d7::], this limit can be changed by changed by the [script.painless.regex.limit-factor] setting", "bytes_wanted"=>0, "bytes_limit"=>0, "durability"=>"TRANSIENT"

[vanh20]

Hello, Sorry for the very late reply. I was hammering on it for a week or two (among other issues), and I went on vacation and was away from the internet.

I thought it was corrected. I increased it from 6 to 20. Maybe I need to keep increasing it? I really need further coaching on this one. A link or two on what to read, sounds okay too. :)

TIA

[cm-ops]

https://www.elastic.co/docs/reference/elasticsearch/configuration-reference/circuit-breaker-settings

Will give some information on circuit breaker settings.

https://www.elastic.co/docs/troubleshoot/elasticsearch/high-jvm-memory-pressure
Will give you some information on troubleshooting high JVM useage.

[vanh20]

Hello Chris!

Thanks for your reply. I have read through it and I believe this resolves it, though I haven't applied it yet. I turned my Windows 7 off when I went on vacation. I'm still out, and in a few days I'd be coming in and apply these solutions. I'd be posting the configuration below and update this for others to benefit from once I get a hold of my machine. Thanks again! :)

Roy P.

[vanh20]

Hello Chris!

Sorry for the very long delays. I've been working on my network for several days, having multiple issues. What I found out was this... I tried running sfc /scannow, and there were two occurrences of splwow64.exe that needed repairs:

POQ 60 ends. 2025-11-26 15:55:27, Info CSI 00000172 [SR] Verify complete 2025-11-26 15:55:27, Info CSI 00000173 [SR] Verifying 100 (0x0000000000000064) components 2025-11-26 15:55:27, Info CSI 00000174 [SR] Beginning Verify and Repair transaction 2025-11-26 15:55:29, Info CSI 00000175 [SR] Repairing corrupted file [ml:520{260},l:28{14}]"\??\C:\Windows"\[l:24{12}]"splwow64.exe" from store 2025-11-26 15:55:32, Info CSI 00000176 Repair results created: POQ 61 starts: 0: Move File: Source = [l:192{96}]"\SystemRoot\WinSxS\Temp\PendingRenames\3da4a308aa5edc01ec1a00002c127c0f._0000000000000000.cdf-ms", Destination = [l:104{52}]"\SystemRoot\WinSxS\FileMaps\_0000000000000000.cdf-ms" 1: Move File: Source = [l:162{81}]"\SystemRoot\WinSxS\Temp\PendingRenames\3da4a308aa5edc01ed1a00002c127c0f.$$.cdf-ms", Destination = [l:74{37}]"\SystemRoot\WinSxS\FileMaps\$$.cdf-ms" 2: Hard Link File: Source = [l:264{132}]"\SystemRoot\WinSxS\amd64_microsoft-windows-p..ng-spooler-splwow64_31bf3856ad364e35_6.1.7601.17514_none_25d05769a8973724\splwow64.exe", Destination = [l:54{27}]"\??\C:\Windows\splwow64.exe" 3: Move File: Source = [l:246{123}]"\SystemRoot\WinSxS\Temp\PendingRenames\3ed9af08aa5edc01ee1a00002c127c0f.$$_diagnostics_system_power_9d457dc1c7c54838.cdf-ms", Destination = [l:158{79}]"\SystemRoot\WinSxS\FileMaps\$$_diagnostics_system_power_9d457dc1c7c54838.cdf-ms" 4: Move File: Source = [l:258{129}]"\SystemRoot\WinSxS\Temp\Pending... (the rest of the boring stuff! ;) )

And upon replacing that, my issue above seems to have disappeared. Anyway, the system is now giving a new error, which I will post in a new thread as it seems no longer related to "circuit_breaking_exceptions". I was able to use the PowerShell script provided by WinLogBeat for installing and uninstalling the WinLogBeat service. If anybody is interested in continuing it here, please let me know. Otherwise, I'd post it on another thread (most appropriate).

Thanks!