I was able to load the index template manually with following command:
auditbeat setup --index-management -e \
-E output.logstash.enabled=false \
-E output.elasticsearch.hosts=['http://log-server:9200'] \
-E output.elasticsearch.username=\${ES_USERNAME} \
-E output.elasticsearch.password=\${ES_PASSWORD} \
-E setup.ilm.overwrite=true \
-E setup.template.overwrite=true
However, in Kibana I receive illegal_argument_exception
error:
Fielddata is disabled on [host.os.name] in [auditbeat-20240613]. Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.os.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
I see there is a hint in an error message but I am not sure what's the best practice here. Isn't it something that should work out of the box when using auditbeat?
Another thing is that setting up Kibana Space ID doesn't seem to work while loading the dashboards. Command used:
auditbeat setup --dashboards -e \
-E output.logstash.enabled=false \
-E output.elasticsearch.hosts=['http://log-server:9200'] \
-E output.elasticsearch.username=\${ES_USERNAME} \
-E output.elasticsearch.password=\${ES_PASSWORD} \
-E setup.ilm.overwrite=true \
-E setup.kibana.space.id=audit
The dashboards are still loaded into Default space. I also tried to set setup.kibana
-> space.id
in the config file.
Side note to whoever is dealing with the same problem and is running above commands.
The ES_PASSWORD
(and ES_USERNAME
) is escaped with \$
and it is taken from the keystore. Normaly the variable would be expanded by the shell before running the command so the plain-text password would be logged into elastic if you are auditing execve()
syscalls.
I added the variable to a keystore with the command cat password_file | auditbeat keystore add ES_PASSWORD --stdin --force
Alternatively you can simply stop auditbeat service.
In Ubuntu keystore file is kept in /var/lib/auditbeat/auditbeat.keystore
by default with root:root 0600 permissions.