Auditbeat encryption and dashboards

elk6 · August 1, 2020, 12:40pm

I'm a little overwhelmed and I was hoping someone could help me sort things out.

On each machine, I have auditbeat setup. On top of the audit logs, I also use auditbeat for the dashboards it provides in kibana (for failed logins and such).

Dashboards - For the dashboards to appear in kibana, do I need to set setup.dashboards.enabled: true? I noticed dashboard data coming to kibana directly (on port 5601). Is it possible to have it coming through Logstash or Elasticsearch?

Encryption - On filebeat, I have everything output to logstash and the encryption is working great.
If I set auditbeat output to Logstash with the dashboards I get this error:

 ERROR   instance/beat.go:958    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
 Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.

Since audit data doesn't need filtering, I'm trying directing auditbeat traffic directly to elastic search. Problem is, if I direct output to elasticsearch, it will send the data unencrypted even though I've copied the SSL config from the logstash output (with works):

 output.elasticsearch:               
   # Array of hosts to connect to.
   hosts: ["91.242.11.225:9200"] # Not the real IP

   # Protocol - either `http` (default) or `https`.
   #protocol: "https"

   # Authentication credentials - either API key or username/password.
   #api_key: "id:api_key"
   username: "elastic"
   password: "password" # Not the real password
   ssl.enabled: true
   ssl.certificate_authorities: ["/etc/elk/ca.crt"]

   # Certificate for SSL client authentication
   ssl.certificate: "/etc/elk/beats.crt"

   # Client Certificate Key
   ssl.key: "/etc/elk/beats.key"
   ssl.key_passphrase: "password" # Not the real password
   ssl.verification_mode: full

I saw suggestions to enable HTTPS but it should still encrypt that data nonetheless. I'm a little baffled by all of this and I was hoping someone could shed a light on it. Huge thanks ahead!

system · August 29, 2020, 12:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Error setting up Dashboards with auditbeat Elasticsearch	1	270	May 16, 2022
Can't setup Winlogbeat or Filebeat dashboards for Kibana Beats filebeat , winlogbeat	5	974	September 27, 2021
Auditbeat dashboard in kibana shows empty results Beats docker , auditbeat	3	422	October 5, 2022
Cannot setup dashboards filebeat to kibana Kibana elastic-stack-security	5	509	June 16, 2022
Auditbeat data not being indexed Beats auditbeat	3	471	February 14, 2023

Auditbeat encryption and dashboards

Related Topics