I am using this guide: How To Build A Security Information and Event Management (SIEM) System with Suricata and the Elastic Stack on Rocky Linux 8 | DigitalOcean
to install Suricata along with ELK stack on a Rocky Linux system.
I am using
Elasticsearch 7.17
Kibana 7.17
Filebeat 7.17
Rocky Linux 8.5
As per the guide, Suricata and Filebeat are installed on one server while Elasticsearch and Kibana are installed on the other server. I am able to load Kibana but the dashboard comes up all empty.
I tried this command
curl <IP>:9200/filebeat-/_refresh -u elastic:password
and I get this error:
{"error":{"root_cause":[{"type":"index_not_found_exception","reason":"no such index [filebeat-]","resource.type":"index_or_alias","resource.id":"filebeat-","index_uuid":"_na_","index":"filebeat-"}],"type":"index_not_found_exception","reason":"no such index [filebeat-]","resource.type":"index_or_alias","resource.id":"filebeat-","index_uuid":"_na_","index":"filebeat-"},"status":404}
I tried running the following command on the ES server
curl --user kibana_system -X GET "http://localhost:9200/_cat/indices"
and got the following result
green open .geoip_databases WB6T5H4yReCdyG6oDZyOvw 1 0 41 0 38.6mb 38.6mb
yellow open filebeat-7.17.0-2022.02.23-000001 DQC2UcW1T36aa7BU39EuMg 1 1 0 0 226b 226b
green open .kibana_7.17.0_001 fs_zsxQkRdu8x00NWBpDqw 1 0 2187 41 3mb 3mb
green open .apm-custom-link gfwbHKdvQFWfWUz0Ep-wZQ 1 0 0 0 226b 226b
green open .apm-agent-configuration Eu8jCSzNR4GIz4IGGop_fg 1 0 0 0 226b 226b
Filebeat.yml: filebeat.yml - Pastebin.com
Elasticsearch.yml: elasticsearch.yml - Pastebin.com
Kibana.yml: kibana.yml - Pastebin.com
I used the keystone method to configure Kibana credentials. Can anyone help what am I missing? Why can't filebeat send data or even locate the indice?