Filebeat: ES not receiving index from filebeat

I'm trying to explore the security recipe for suspicious login activity in my local machine
https://github.com/elastic/examples/blob/master/Machine%20Learning/Security%20Analytics%20Recipes/suspicious_login_activity/configs/filebeat/filebeat.yml

When trying to index the auth.log, nothing appears in the create index pattern of kibana.

Here's my filebeat.yml

filebeat.modules:

  • module: system
    syslog:
    enabled: false
    auth:
    enabled: true
    var.paths: ["/data/auth.log"]
    name: test
    output.elasticsearch:
    hosts: ["http://elastic-url:9200"]
    username: "elastic"
    password: "secret"
    setup.kibana:
    host: "http://kibana-url:5601"
    username: "elastic"
    password: "secret"
    logging.level: debug
    logging.selectors: ["publish"]
    setup.dashboards.enabled: true

Am I missing something?

Hi @jemueldalino,

Did you run filebeat setup command? It should configure kibana and deploy some dashboards for you.

Best regards

I just ran filebeat via docker run using the .yml earlier. The dashboards were created but theres no data. When checking index patterns, there's indices. Is my var.path wrong?

Hi,
Whats the OS platform?

For Debian systems the logins will be stored in /var/log/auth.log
For Redhat Systems I think the file is /var/log/secure.
The auth logs vary. Whether the /data/auth.log is having data?
Does any other logs are available in ES from filebeat?
ES requires two plugin installation for the proper working of Filebeat.

Vishnu

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.