I'm trying to learn how to set up auditbeat on the same server as my elasticsearch and kibana instance verison 8.5 which is running off of ubuntu 20.04. But when I do a systemctl start auditbeat.service
, I get the error:
{"log.level":"error","@timestamp":"2022-11-13T23:01:44.731Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}
In terms of what I did, I started a completely new installation of Ubuntu 20.04 on my laptop which has an IP address of 192.168.0.41
. And then I ran these commands to download all the packages I need to set up elasticsearch, kibana and auditbeat.
apt-get update && apt dist-upgrade -y
apt-get install -y curl gnupg gpg vim
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo gpg --dearmor -o /usr/share/keyrings/elasticsearch-keyring.gpg
sudo apt-get install apt-transport-https
echo "deb [signed-by=/usr/share/keyrings/elasticsearch-keyring.gpg] https://artifacts.elastic.co/packages/8.x/apt stable main" | sudo tee /etc/apt/sources.list.d/elastic-8.x.list
sudo apt-get update
sudo apt-get install -y elasticsearch
sudo apt-get install -y kibana
sudo apt-get install -y auditbeat
systemctl enable elasticsearch.service
systemctl enable kibana.service
systemctl enable auditbeat.service
mkdir /etc/kibana/certs
cp /etc/elasticsearch/certs/http_ca.crt /etc/kibana/certs
chown -R kibana:kibana /etc/kibana/certs
chmod -R 755 /etc/kibana/certs
Then I made these 3 files on the server:
# file: /etc/elasticsearch/elasticsearch.yml
cluster.name: my-application
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: localhost
http.port: 9200
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["auditbeat"]
http.host: 0.0.0.0
# file: /etc/kibana/kibana.yml
server.port: 5601
server.host: "192.168.0.41"
server.publicBaseUrl: "http://192.168.0.41:5601"
elasticsearch.hosts: ["https://localhost:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.password: "ABCD1234"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/http_ca.crt" ]
elasticsearch.ssl.verificationMode: none
logging:
appenders:
file:
type: file
fileName: /var/log/kibana/kibana.log
layout:
type: json
root:
appenders:
- default
- file
pid.file: /run/kibana/kibana.pid
# file: /etc/auditbeat/auditbeat.yml
auditbeat.modules:
- module: auditd
audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
audit_rules: |
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- module: system
datasets:
- package # Installed, updated, and removed packages
period: 2m # The frequency at which the datasets check for changes
- module: system
datasets:
- host # General host information, e.g. uptime, IPs
- login # User logins, logouts, and system boots.
- process # Started and stopped processes
- socket # Opened and closed sockets
- user # User information
state.period: 1m
user.detect_password_changes: true
login.wtmp_file_pattern: /var/log/wtmp*
login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
index.number_of_shards: 1
setup.dashboards.enabled: true
setup.kibana:
host: "192.168.0.41:5601"
output.elasticsearch:
hosts: ["localhost:9200"]
protocol: "https"
username: "elastic"
password: "ABCD1234"
ssl.verification_mode: none
processors:
- add_host_metadata: ~
- add_cloud_metadata: ~
- add_docker_metadata: ~
Then I typed systemctl start elasticsearch.service
.
Once elasticsearch.service
is up, I typed these two command to reset the password for elastic
and kibana_system
to simply ABCD1234
:
/usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u elastic
# when prompted, type in password ABCD1234
/usr/share/elasticsearch/bin/elasticsearch-reset-password -i -u kibana_system
# when prompted, type in password ABCD1234
Then I started Kibana with systemctl start kibana.service
. I login to the website at http://192.168.0.41:5601
with the user elastic
and password ABCD1234
to confirm everything is working.
Then I ran this command to set up and start auditbeat:
/usr/share/auditbeat/bin/auditbeat setup -c /etc/auditbeat/auditbeat.yml --path.home /usr/share/auditbeat/ --path.config /etc/auditbeat/ --path.data /var/lib/auditbeat --path.logs /var/log/auditbeat
systemctl start auditbeat.service
Then I see failures with auditbeat that shows this error:
{"log.level":"error","@timestamp":"2022-11-13T23:01:44.731Z","log.origin":{"file.name":"instance/beat.go","file.line":1056},"message":"Exiting: 1 error: failed to create audit client: failed to get audit status: connection refused","service.name":"auditbeat","ecs.version":"1.6.0"}
What did I do wrong?
Incase it helps, here is a 2 minute video recording of me performing all the steps above from setting up ubuntu up until the point I get the error with auditbeat:
What did I do wrong?