Filebeat: ES not receiving index from filebeat

Elastic Stack Beats
1

I'm trying to explore the security recipe for suspicious login activity in my local machine
https://github.com/elastic/examples/blob/master/Machine%20Learning/Security%20Analytics%20Recipes/suspicious_login_activity/configs/filebeat/filebeat.yml

When trying to index the auth.log, nothing appears in the create index pattern of kibana.

Here's my filebeat.yml

filebeat.modules:

  • module: system
    syslog:
    enabled: false
    auth:
    enabled: true
    var.paths: ["/data/auth.log"]
    name: test
    output.elasticsearch:
    hosts: ["http://elastic-url:9200"]
    username: "elastic"
    password: "secret"
    setup.kibana:
    host: "http://kibana-url:5601"
    username: "elastic"
    password: "secret"
    logging.level: debug
    logging.selectors: ["publish"]
    setup.dashboards.enabled: true

Am I missing something?

2

Hi @jemueldalino,

Did you run filebeat setup command? It should configure kibana and deploy some dashboards for you.

Best regards

3

I just ran filebeat via docker run using the .yml earlier. The dashboards were created but theres no data. When checking index patterns, there's indices. Is my var.path wrong?

4

Hi,
Whats the OS platform?

For Debian systems the logins will be stored in /var/log/auth.log
For Redhat Systems I think the file is /var/log/secure.
The auth logs vary. Whether the /data/auth.log is having data?
Does any other logs are available in ES from filebeat?
ES requires two plugin installation for the proper working of Filebeat.

Vishnu