I'm a little overwhelmed and I was hoping someone could help me sort things out.
On each machine, I have auditbeat setup. On top of the audit logs, I also use auditbeat for the dashboards it provides in kibana (for failed logins and such).
-
Dashboards - For the dashboards to appear in kibana, do I need to set
setup.dashboards.enabled: true
? I noticed dashboard data coming to kibana directly (on port 5601). Is it possible to have it coming through Logstash or Elasticsearch? -
Encryption - On filebeat, I have everything output to logstash and the encryption is working great.
If I set auditbeat output to Logstash with the dashboards I get this error:ERROR instance/beat.go:958 Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}. Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
Since audit data doesn't need filtering, I'm trying directing auditbeat traffic directly to elastic search. Problem is, if I direct output to elasticsearch, it will send the data unencrypted even though I've copied the SSL config from the logstash output (with works):
output.elasticsearch: # Array of hosts to connect to. hosts: ["91.242.11.225:9200"] # Not the real IP # Protocol - either `http` (default) or `https`. #protocol: "https" # Authentication credentials - either API key or username/password. #api_key: "id:api_key" username: "elastic" password: "password" # Not the real password ssl.enabled: true ssl.certificate_authorities: ["/etc/elk/ca.crt"] # Certificate for SSL client authentication ssl.certificate: "/etc/elk/beats.crt" # Client Certificate Key ssl.key: "/etc/elk/beats.key" ssl.key_passphrase: "password" # Not the real password ssl.verification_mode: full
I saw suggestions to enable HTTPS but it should still encrypt that data nonetheless. I'm a little baffled by all of this and I was hoping someone could shed a light on it. Huge thanks ahead!