Hi guys I am running Elastic Defend 8.7.1 on multiple Ubuntu 20.04.5 and CentOS 7 vms. In both cases network logs from outbound connections are missing (logged user or services), there are only for inbound.
To my understanding there are supposed to be login logs too? (there are not)
Process, file, malware events are fine tho.
Is there a way to debug this or there might be a reason, there are nothing in the logs ? All event types are enabled from the integration for linux.
I think this is because of the somewhat confusing way that source and destination IPs are presented in network events on Linux. We are planning to change that in the new version.
Currently the "source" and "destination" IP fields in network events are presented in the way where the "source" IP is always the local host, on which Defend is running, and the "destination" IP is the IP of the remote host. So for a connection_accepted network event (related to some server running on the host, accepting a connection from a remote host) the source IP will be the IP of your host. I agree this is confusing, it should be thought of more like "local" and "remote" IPs.
So if you want to view only the network events showing remote hosts connecting to your system, then you should filter for the 'connection_accepted' network event.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.