Error activating rule…

Hey,

I have installed elk using docker. It is up and running fine. But the problem occurs when I try to activate pre-built rules.

My docker-compose.yml configurations are:

version: '3'

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    container_name: elasticsearch
    environment:
      - node.name=elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.keystore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.path=elastic-stack-ca.p12
      - xpack.security.transport.ssl.truststore.type=PKCS12
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic-stack-ca.p12:/usr/share/elasticsearch/config/elastic-stack-ca.p12
      - esdata1:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:7.8.0
    container_name: kibana
    environment:
      ELASTICSEARCH_URL: "http://elasticsearch:9200"
      ELASTICSEARCH_USERNAME: "kibana"
      ELASTICSEARCH_PASSWORD: "@elk1234"
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch

volumes:
  esdata1:
    driver: local

Kindly help me out

Can you elaborate on what rules you are referring to here?

The 92 Pre-built rules provided by elk for windows for testing RTA.

Do you have both http and https turned on there? I'm not a big developer on docker at the moment but before when there were problems:

The solution usually was they had to ensure they were using the SSL/https within docker to be able to use the API keys feature.

You will need to enable API_Key in elasticsearch
Add this env into your compser
xpack.security.authc.api_key.enabled=true

1 Like

yes I tried this when I enable this it gives me an error of exit 78

After adding xpack.security.authc.api_key.enabled=ture

ERROR: [1] bootstrap checks failed
[1]: HTTPS is required in order to use the API key service; please enable HTTPS using the [xpack.security.http.ssl.enabled] setting or disable the API key service using the [xpack.security.authc.api_key.enabled] setting

That makes sense. It wants https. As pointed out above usually when we encounter this issue it's because https has to be enabled for the API keys to function which the detection engine relies on. I think once you have https enabled for it you should be good to go.

Hey Both the instances are up and running done getting error msg when trying to access kibana (This error is without https)

image

When accessing with https i am getting this error:

Elastic:

image

Kibana configuration:

#
# ** THIS IS AN AUTO-GENERATED FILE **
#

# Default Kibana configuration for docker target
server.name: kibana
server.host: "0"
elasticsearch.hosts: [ "https://elasticsearch:9200" ]
elasticsearch.username: "kibana"
elasticsearch.password: ""
monitoring.ui.container.elasticsearch.enabled: true
elasticsearch.ssl.verificationMode: certificate
xpack.encryptedSavedObjects.encryptionKey: 'fhjskloppd678ehkdfdlliver123lfcr'

Elastic config

version: '3'

services:

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:7.8.0
    container_name: elasticsearch
    environment:
      - node.name=elasticsearch
      - discovery.seed_hosts=elasticsearch
      - cluster.initial_master_nodes=elasticsearch
      - cluster.name=docker-cluster
      - bootstrap.memory_lock=true
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
      - xpack.license.self_generated.type=basic
      - xpack.security.enabled=true
      - xpack.security.transport.ssl.enabled=true
      - xpack.security.transport.ssl.keystore.type=PKCS12
      - xpack.security.transport.ssl.verification_mode=certificate
      - xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.transport.ssl.truststore.type=PKCS12
      - xpack.security.authc.api_key.enabled=true
      - xpack.security.http.ssl.enabled=true
      - xpack.security.http.ssl.keystore.path=elastic-certificates.p12
      - xpack.security.http.ssl.truststore.path=elastic-certificates.p12
      - xpack.security.http.ssl.client_authentication=optional
      - xpack.security.http.ssl.verification_mode=certificate 
    ulimits:
      memlock:
        soft: -1
        hard: -1
    volumes:
      - ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
      - esdata1:/usr/share/elasticsearch/data
    ports:
      - 9200:9200

  kibana:
    image: docker.elastic.co/kibana/kibana:7.8.0
    container_name: kibana
    environment:
      ELASTICSEARCH_URL: "https://elasticsearch:9200"
      ELASTICSEARCH_USERNAME: "kibana"
      ELASTICSEARCH_PASSWORD: ""
    ports:
      - 5601:5601
    depends_on:
      - elasticsearch

volumes:
  esdata1:
    driver: local

Kibana logs:

csearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:22Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:25Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:25Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:27Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}
{"type":"log","@timestamp":"2020-09-15T21:53:27Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"No living connections"}
{"type":"log","@timestamp":"2020-09-15T21:53:30Z","tags":["warning","elasticsearch","admin"],"pid":6,"message":"Unable to revive connection: https://elasticsearch:9200/"}

more logs

{"type":"log","@timestamp":"2020-09-15T21:57:08Z","tags":["error","elasticsearch","monitoring"],"pid":6,"message":"Request error, retrying\nGET https://elasticsearch:9200/_xpack => self signed certificate in certificate chain"}
{"type":"log","@timestamp":"2020-09-15T21:57:08Z","tags":["error","elasticsearch","monitoring"],"pid":6,"message":"Request error, retrying\nGET https://elasticsearch:9200/_xpack => self signed certificate in certificate chain"}

Now kindly suggest me what should I do? This is so irritating why don't you people limit to single certificate.