Error activating rule…

Akash_Upadhyay · September 12, 2020, 10:16pm

Hey,

I have installed elk using docker. It is up and running fine. But the problem occurs when I try to activate pre-built rules.

My docker-compose.yml configurations are:

version: '3'

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    container_name: elasticsearch
    environment:
      - node.name=elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.keystore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.type=PKCS12
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
      - esdata1:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:7.8.0
    container_name: kibana
    environment:
      ELASTICSEARCH_URL: "http://elasticsearch:9200"
      ELASTICSEARCH_USERNAME: "kibana"
      ELASTICSEARCH_PASSWORD: "@elk1234"
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch

volumes:
  esdata1:
    driver: local

Kindly help me out

warkolm · September 13, 2020, 11:17pm

Can you elaborate on what rules you are referring to here?

Akash_Upadhyay · September 14, 2020, 5:08am

The 92 Pre-built rules provided by elk for windows for testing RTA.

Frank_Hassanabad · September 15, 2020, 3:06pm

Do you have both http and https turned on there? I'm not a big developer on docker at the moment but before when there were problems:

The solution usually was they had to ensure they were using the SSL/https within docker to be able to use the API keys feature.

ylasri · September 15, 2020, 3:08pm

You will need to enable API_Key in elasticsearch
Add this env into your compser
xpack.security.authc.api_key.enabled=true

Akash_Upadhyay · September 15, 2020, 7:11pm

yes I tried this when I enable this it gives me an error of exit 78

Akash_Upadhyay · September 15, 2020, 7:23pm

After adding xpack.security.authc.api_key.enabled=ture

ERROR: [1] bootstrap checks failed
[1]: HTTPS is required in order to use the API key service; please enable HTTPS using the [xpack.security.http.ssl.enabled] setting or disable the API key service using the [xpack.security.authc.api_key.enabled] setting

Frank_Hassanabad · September 15, 2020, 8:28pm

That makes sense. It wants https. As pointed out above usually when we encounter this issue it's because https has to be enabled for the API keys to function which the detection engine relies on. I think once you have https enabled for it you should be good to go.

Akash_Upadhyay · September 15, 2020, 10:11pm

Hey Both the instances are up and running done getting error msg when trying to access kibana (This error is without https)

When accessing with https i am getting this error:

Elastic:

Kibana configuration:

#
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "https://elasticsearch:9200" ]
elasticsearch.username: "kibana"
elasticsearch.password: ""
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.ssl.verificationMode: certificate
xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliver123lfcr'

Elastic config

version: '3'

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    container_name: elasticsearch
    environment:
      - node.name=elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.type=PKCS12
      - xpack.security.authc.api_key.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.http.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.http.ssl.client_authentication=optional
      - xpack.security.http.ssl.verification_mode=certificate 
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - esdata1:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:7.8.0
    container_name: kibana
    environment:
      ELASTICSEARCH_URL: "https://elasticsearch:9200"
      ELASTICSEARCH_USERNAME: "kibana"
      ELASTICSEARCH_PASSWORD: ""
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch

volumes:
  esdata1:
    driver: local

Kibana logs:

csearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:22Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:25Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:25Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:27Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:27Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:30Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}

more logs

{"type":"log","@timestamp":"2020-09-15T21:57:08Z","tags":["error","elasticsearch","monitoring"],"pid":6,"message":"Request error, retrying\nGET https://elasticsearch:9200/_xpack => self signed certificate in certificate chain"}
{"type":"log","@timestamp":"2020-09-15T21:57:08Z","tags":["error","elasticsearch","monitoring"],"pid":6,"message":"Request error, retrying\nGET https://elasticsearch:9200/_xpack => self signed certificate in certificate chain"}

Now kindly suggest me what should I do? This is so irritating why don't you people limit to single certificate.

system · October 13, 2020, 10:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic search docker container stops automatically Elasticsearch	3	5743	August 23, 2019
Failed to installed pre-packaged rules from elastic SIEM	4	1508	March 12, 2020
Docker compose ELK Discussions en français	52	103	October 29, 2024
Run ELK with docker compose Elasticsearch docker	8	1169	June 9, 2023
Unable to grant an API Key, request does not contain an authorization header Kibana elastic-stack-security , docker	8	1105	July 3, 2021

Error activating rule…

Related Topics