Can not get network sockets info

Hello,

I'm deploying elasticsearch SIEM using auditbeat and having trouble to get the network sockets counts, open, closed information. they all show 0 value in the network socket dashboard.

in my deployment, I have elasticsearch 7.8, kibana 7.8, and auditbeat agent 7.8.

I don't use logstash and I don't know if it's required for SIEM.

The agents are installed on centos7 distro with kernel release 3.10.0-1062.12.1.el7.x86_64

Anyone have similar issues and can help here?

Thanks,
Ali

Hi @ali.al-janabi,

With auditbeat, socket data is provided by the system socket dataset. It sounds like your hosts are compatible, so my first suggestion would be to ensure that your agent configuration includes that dataset.

However, If you're looking for more sophisticated network data, packetbeat may be a better option for you.

If you need additional assistance, your auditbeat configuration and/or some sample auditbeat data would be helpful for diagnosis.

Thank you @RylandHerrick ,
I believe I do have the socket dataset configured in my agents, here is what I have

- module: system
  datasets:
    - socket
  socket.include_localhost: false
  period: 3s
  state.period: 1m

I do get the inbound and outbound info but not the socket count or open or closed

Thanks
Ali

@ali.al-janabi this might an issue with your dashboards themselves. That dataset was refactored a while ago (link) such that flow events are only reported after a socket closes, which is a departure from the previous open/close events.

To help diagnose, it would be great to see the underlying query of those visualizations along with some representative auditbeat data; I'd encourage you to poke around in Discover to get a sense of your data.

Thanks!

@RylandHerrick

Thanks, we are using the standard dashboards we get when we fire the auditbeat setup command to create the index and the dashboards, we don't have any custom settings or dashboards or data yet, here is the request I was able to extract from the open socket visualize in the [Auditbeat System] Socket Dashboard ECS .

  "aggs": {},
  "size": 0,
  "stored_fields": [
    "*"
  ],
  "script_fields": {},
  "docvalue_fields": [
    {
      "field": "@timestamp",
      "format": "date_time"
    },
    {
      "field": "event.created",
      "format": "date_time"
    },
    {
      "field": "event.end",
      "format": "date_time"
    },
    {
      "field": "event.ingested",
      "format": "date_time"
    },
    {
      "field": "event.start",
      "format": "date_time"
    },
    {
      "field": "file.accessed",
      "format": "date_time"
    },
    {
      "field": "file.created",
      "format": "date_time"
    },
    {
      "field": "file.ctime",
      "format": "date_time"
    },
    {
      "field": "file.mtime",
      "format": "date_time"
    },
    {
      "field": "package.installed",
      "format": "date_time"
    },
    {
      "field": "process.parent.start",
      "format": "date_time"
    },
    {
      "field": "process.start",
      "format": "date_time"
    },
    {
      "field": "system.audit.host.boottime",
      "format": "date_time"
    },
    {
      "field": "system.audit.package.installtime",
      "format": "date_time"
    },
    {
      "field": "system.audit.user.password.last_changed",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.client.not_before",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_after",
      "format": "date_time"
    },
    {
      "field": "tls.server.not_before",
      "format": "date_time"
    }
  ],
  "_source": {
    "excludes": []
  },
  "query": {
    "bool": {
      "must": [],
      "filter": [
        {
          "match_all": {}
        },
        {
          "match_phrase": {
            "event.dataset": {
              "query": "socket"
            }
          }
        },
        {
          "match_phrase": {
            "event.action": {
              "query": "socket_opened"
            }
          }
        },
        {
          "range": {
            "@timestamp": {
              "gte": "2020-08-20T19:50:29.720Z",
              "lte": "2020-08-20T20:50:29.720Z",
              "format": "strict_date_optional_time"
            }
          }
        }
      ],
      "should": [],
      "must_not": []
    }
  }
}

here is the response

   {
  "took": 1,
  "timed_out": false,
  "_shards": {
    "total": 2,
    "successful": 2,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 0,
    "max_score": null,
    "hits": []
  }
}

Thank you!

Hi @ali.al-janabi, can you check if the auditbeat-* indices contain socket events?

If you query event.module:system and event.dataset:socket from auditbeat-* in the Discover page do you have events?

If so then I think we have a bug with the dashboard and it needs updated to reflect the new structure of the flow events.

@andrewkroh

Yes I do have events, check the attached.

Thanks,
Ali

Since you have the socket data where each event represent a flow you can use the Security app's Network page to view the data. The dashboard does need an update to move away from the old format of the data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.