Auditbeat encryption and dashboards

I'm a little overwhelmed and I was hoping someone could help me sort things out.

On each machine, I have auditbeat setup. On top of the audit logs, I also use auditbeat for the dashboards it provides in kibana (for failed logins and such).

1. Dashboards - For the dashboards to appear in kibana, do I need to set setup.dashboards.enabled: true? I noticed dashboard data coming to kibana directly (on port 5601). Is it possible to have it coming through Logstash or Elasticsearch?

2. Encryption - On filebeat, I have everything output to logstash and the encryption is working great.
   If I set auditbeat output to Logstash with the dashboards I get this error:

    ERROR   instance/beat.go:958    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://91.242.11.225:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.
   

   Since audit data doesn't need filtering, I'm trying directing auditbeat traffic directly to elastic search. Problem is, if I direct output to elasticsearch, it will send the data unencrypted even though I've copied the SSL config from the logstash output (with works):

    output.elasticsearch:               
      # Array of hosts to connect to.
      hosts: ["91.242.11.225:9200"] # Not the real IP
   
      # Protocol - either `http` (default) or `https`.
      #protocol: "https"
   
      # Authentication credentials - either API key or username/password.
      #api_key: "id:api_key"
      username: "elastic"
      password: "password" # Not the real password
      ssl.enabled: true
      ssl.certificate_authorities: ["/etc/elk/ca.crt"]
   
      # Certificate for SSL client authentication
      ssl.certificate: "/etc/elk/beats.crt"
   
      # Client Certificate Key
      ssl.key: "/etc/elk/beats.key"
      ssl.key_passphrase: "password" # Not the real password
      ssl.verification_mode: full
   

I saw suggestions to enable HTTPS but it should still encrypt that data nonetheless. I'm a little baffled by all of this and I was hoping someone could shed a light on it. Huge thanks ahead!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.