Auditbeat encryption and dashboards

elk6 · August 1, 2020, 12:40pm

I'm a little overwhelmed and I was hoping someone could help me sort things out.

On each machine, I have auditbeat setup. On top of the audit logs, I also use auditbeat for the dashboards it provides in kibana (for failed logins and such).

Dashboards - For the dashboards to appear in kibana, do I need to set setup.dashboards.enabled: true? I noticed dashboard data coming to kibana directly (on port 5601). Is it possible to have it coming through Logstash or Elasticsearch?

Encryption - On filebeat, I have everything output to logstash and the encryption is working great.
If I set auditbeat output to Logstash with the dashboards I get this error:

 ERROR   instance/beat.go:958    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
 Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.

Since audit data doesn't need filtering, I'm trying directing auditbeat traffic directly to elastic search. Problem is, if I direct output to elasticsearch, it will send the data unencrypted even though I've copied the SSL config from the logstash output (with works):

 output.elasticsearch:               
   # Array of hosts to connect to.
   hosts: ["91.242.11.225:9200"] # Not the real IP

   # Protocol - either `http` (default) or `https`.
   #protocol: "https"

   # Authentication credentials - either API key or username/password.
   #api_key: "id:api_key"
   username: "elastic"
   password: "password" # Not the real password
   ssl.enabled: true
   ssl.certificate_authorities: ["/etc/elk/ca.crt"]

   # Certificate for SSL client authentication
   ssl.certificate: "/etc/elk/beats.crt"

   # Client Certificate Key
   ssl.key: "/etc/elk/beats.key"
   ssl.key_passphrase: "password" # Not the real password
   ssl.verification_mode: full

I saw suggestions to enable HTTPS but it should still encrypt that data nonetheless. I'm a little baffled by all of this and I was hoping someone could shed a light on it. Huge thanks ahead!

system · August 29, 2020, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't send dashboard to kibana Kibana	5	1062	September 3, 2020
Error setting up Dashboards Elasticsearch	5	591	June 16, 2020
Error setting up Dashboards with auditbeat Elasticsearch	1	270	May 16, 2022
Auditbeat sends unencrypted data Beats auditbeat	1	288	August 28, 2020
Can't setup kibana dashboards for Beats Beats	3	335	March 31, 2020

Auditbeat encryption and dashboards

Related topics