env:centos 8 x64 with firewalld selinux disabled
filebeat 7.7.0
es 7.7.0
was just enabled xpack feature in es,and now I cannot see any log in es from filebeat.before xpack enabled it works perfect.
and the error in service filebeat status
:
ā filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.
Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2020-05-26 15:44:13 CST; 2min 47s ago
Docs: https://www.elastic.co/products/beats/filebeat
Main PID: 10158 (filebeat)
Tasks: 8 (limit: 49646)
Memory: 14.4M
CGroup: /system.slice/filebeat.service
āā10158 /usr/share/filebeat/bin/filebeat -environment systemd -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
May 26 15:46:19 ssl filebeat[10158]: 2020-05-26T15:46:19.728+0800 WARN [elasticsearch] elasticsearch/client.go:384 Cannot index event publisher.Event{Content:beat.Event{Timestamp:time.Time{wall:0xbfab5032aa9ca160, ext:125053593101, loc:(*time.Location)(0x594e5e0)}, Meta:{"pipeline":"filebeat-7.7.0-wazuh-alerts-pipeline"}, Fields:{"agent":{"ephemeral_id":"a6150cd6-ea64-40d7-83d5-0acc5f514bf6","hostname":"ssl","id":"6544352f-ef82-4777-87b9-66a84ec2d384","type":"filebeat","version":"7.7.0"},"ecs":{"version":"1.5.0"},"event":{"dataset":"wazuh.alerts","module":"wazuh"},"fields":{"index_prefix":"wazuh-alerts-3.x-"},"fileset":{"name":"alerts"},"host":{"name":"ssl"},"input":{"type":"log"},"log":{"file":{"path":"/var/ossec/logs/alerts/alerts.json"},"offset":347985746},"message":"{\"timestamp\":\"2020-05-26T15:46:15.216+0800\",\"rule\":{\"level\":3,\"description\":\"Audit: Command: /bin/sleep\",\"id\":\"80792\",\"firedtimes\":215,\"mail\":false,\"groups\":[\"audit\",\"audit_command\"],\"gdpr\":[\"IV_30.1.g\"]},\"agent\":{\"id\":\"003\",\"name\":\"device\",\"ip\":\"192.168.2.159\"},\"manager\":{\"name\":\"ssl\"},\"id\":\"1590479175.217294836\",\"full_log\":\"type=SYSCALL msg=audit(1590479177.489:87986): arch=c000003e syscall=59 success=yes exit=0 a0=55826c7e1280 a1=55826c7e1bd0 a2=55826c7df750 a3=8 items=2 ppid=9516 pid=2174 auid=1006 uid=1006 gid=1002 euid=1006..........{\"type\":\"SYSCALL\",\"id\":\"87994\",\"arch\":\"c000003e\",\"syscall\":\"59\",\"success\":\"yes\",\"exit\":\"0\",\"ppid\":\"18289\",\"pid\":\"2243\",\"auid\":\"1006\",\"uid\":\"1006\",\"gid\":\"1002\",\"euid\":\"1006\",\"suid\":\"1006\",\"fsuid\":\"1006\",\"egid\":\"1002\",\"sgid\":\"1002\",\"fsgid\":\"1002\",\"tty\":\"(none)\",\"session\":\"116\",\"command\":\"sleep\",\"exe\":\"/bin/sleep\",\"key\":\"audit-wazuh-c\",\"execve\":{\"a0\":\"sleep\",\"a1\":\"120\"},\"cwd\":\"/tank1/devnet\",\"file\":{\"name\":\"/bin/sleep\",\"inode\":\"5111893\",\"mode\":\"0100755\"}}},\"location\":\"/var/log/audit/audit.log\"}","service":{"type":"wazuh"}}, Private:file.State{Id:"", Finished:false, Fileinfo:(*os.fileStat)(0xc0002061a0), Source:"/var/ossec/logs/alerts/alerts.json", Offset:348002992, Timestamp:time.Time{wall:0xbfab5015e934d39c, ext:10030013101, loc:(*time.Location)(0x594e5e0)}, TTL:-1, Type:"log", Meta:map[string]string(nil), FileStateOS:file.StateOS{Inode:0x40a9162, Device:0xfd00}}, TimeSeries:false}, Flags:0x1, Cache:publisher.EventCache{m:common.MapStr(nil)}} (status=404): {"type":"index_not_found_exception","reason":"no such index [<wazuh-alerts-3.x-{2020.05.26||/d{yyyy.MM.dd|UTC}}>] and [action.auto_create_index] ([.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*]) doesn't match","index_uuid":"_na_","index":"<wazuh-alerts-3.x-{2020.05.26||/d{yyyy.MM.dd|UTC}}>"}
it seems like the index wasn't auto created,but I've add auto index create config in es config file alreay,the es configration file like this:
[root@ssl alerts]# cat /etc/elasticsearch/elasticsearch.yml | egrep -v "^#|^$"
cluster.name: wazuh-clusteres
node.name: wazuh-ssl
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.40.243
cluster.initial_master_nodes: ["wazuh-ssl"]
xpack.security.enabled: true
action.auto_create_index: .monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,wazuh-alerts-3.x-*,wazuh-monitoring-3.x-*
xpack.security.audit.enabled: true
xpack.monitoring.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]
the filebeat configration file :
[root@ssl alerts]# cat /etc/filebeat/filebeat.yml | egrep -v "^#|^$"
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch:
hosts: ["https://192.168.40.243:9200"]
username: "elastic"
password: ####hidden here#####
ssl.certificate: "/etc/filebeat/certs/wazuh-manager.crt"
ssl.key: "/etc/filebeat/certs/wazuh-manager.key"
ssl.certificate_authorities: ["/etc/filebeat/certs/ca/ca.crt"]