Elasticsearch not loading logs from logstash and filebeat

codi639 · March 14, 2024, 10:35am

Hello guys,

I'm trying to build a SIEM, after searching for different solutions I wanted to try the ELK-Stack with Filebeat.
I've followed this tutorial, and occur the error at the end of the fourth part. I tried to reinstall, but got the exact same error.
Since I don't really know how this stack works I'm struggling to debug the problem.
I don't have any logs on filebeat, elasticsearch or logstash.
Running netstat show me that all of my services are correctly running and I can reach my Kibana web dashboard (which is empty).
Why is my logstash not sending data to my elasticsearch? Can filebeat be struggling to send data to logstash?
My different configuration files looks the same as in the tutorial.

Regards

dadoonet · March 14, 2024, 11:11am

Welcome!

I'd not follow a non official outdated guide. This one is 2 years old, using a 7.x version where we are at 8.12.2

And do you know that Elastic has now an out of the box SIEM experience available within the Security solution?

You have an up to date staring guide at Getting started: Use Elastic Security for SIEM | Starting with the Elasticsearch Platform and its Solutions [8.12] | Elastic

I'd follow it.

Please note that step 1 indicates the usage of Elastic Cloud as it's much easier to set it up, but you can always run that locally, either with Docker compose or directly. You "just" need to start Elasticsearch and Kibana.

There's also a quickstart video at Free training for threat detection with Elastic Security | Elastic Training

codi639 · March 14, 2024, 1:54pm

Hello,

Thanks for your reply, I guess the tutorial is too old and not enough precise for what I want.

I didn't know Elastic has a SIEM solution, but my company want to work only with free Open Source project...

I'm okay with building it by myself with Elastic solutions:
elastic-download

For the installation, I ran the commands:

curl https://artifacts.elastic.co/downloads/kibana/kibana-8.12.2-amd64.deb --output kibana-8.12.2-amd64.deb
curl https://artifacts.elastic.co/downloads/logstash/logstash-8.12.2-amd64.deb --output logstash-8.12.2-amd64.deb
curl https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-8.12.2-amd64.deb --output elasticsearch-8.12.2-amd64.deb
dpkg -i *.deb

But I got weird results.

root@ELK-Stack:~# tail -f /var/log/elasticsearch/elasticsearch.log 
[2024-03-14T14:44:44,528][ERROR][o.e.b.Elasticsearch      ] [ELK-Stack] fatal exception while booting Elasticsearch
java.lang.RuntimeException: can not run elasticsearch as root
	at org.elasticsearch.bootstrap.Elasticsearch.initializeNatives(Elasticsearch.java:282) ~[elasticsearch-8.12.2.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.initPhase2(Elasticsearch.java:167) ~[elasticsearch-8.12.2.jar:?]
	at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:72) ~[elasticsearch-8.12.2.jar:?]

I tried a fresh install by following this topic, but got the same can not run elasticsearch as root

Should I just change the name of my topic as 'Struggling with ELK installation', or open a new one?

Regards

leandrojmp · March 14, 2024, 3:10pm

As the message says, you cannot run elasticsearch as root, you need to run it using the elasticsearch user.

Since you installed it as a deb package, you need to run it as a service with systemd.

Try systemctl start elasticsearch, this will start elasticsearch as the elasticsearch user.

system · April 11, 2024, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.