Auditbeat encryption and dashboards

I'm a little overwhelmed and I was hoping someone could help me sort things out.

On each machine, I have auditbeat setup. On top of the audit logs, I also use auditbeat for the dashboards it provides in kibana (for failed logins and such).

  1. Dashboards - For the dashboards to appear in kibana, do I need to set setup.dashboards.enabled: true? I noticed dashboard data coming to kibana directly (on port 5601). Is it possible to have it coming through Logstash or Elasticsearch?

  2. Encryption - On filebeat, I have everything output to logstash and the encryption is working great.
    If I set auditbeat output to Logstash with the dashboards I get this error:

     ERROR   instance/beat.go:958    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
     Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
    

    Since audit data doesn't need filtering, I'm trying directing auditbeat traffic directly to elastic search. Problem is, if I direct output to elasticsearch, it will send the data unencrypted even though I've copied the SSL config from the logstash output (with works):

     output.elasticsearch:               
       # Array of hosts to connect to.
       hosts: ["91.242.11.225:9200"] # Not the real IP
    
       # Protocol - either `http` (default) or `https`.
       #protocol: "https"
    
       # Authentication credentials - either API key or username/password.
       #api_key: "id:api_key"
       username: "elastic"
       password: "password" # Not the real password
       ssl.enabled: true
       ssl.certificate_authorities: ["/etc/elk/ca.crt"]
    
       # Certificate for SSL client authentication
       ssl.certificate: "/etc/elk/beats.crt"
    
       # Client Certificate Key
       ssl.key: "/etc/elk/beats.key"
       ssl.key_passphrase: "password" # Not the real password
       ssl.verification_mode: full
    

I saw suggestions to enable HTTPS but it should still encrypt that data nonetheless. I'm a little baffled by all of this and I was hoping someone could shed a light on it. Huge thanks ahead!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.