Hello I am having issue while setup the filebeat module for threat hunting.
This is the error I am getting..
root@wazuh:/etc/kibana# sudo filebeat setup
Overwriting ILM policy is disabled. Set setup.ilm.overwrite: true
for enabling.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://0.0.0.0:5601/api/status fails: fail to execute the HTTP GET request: Get "http://0.0.0.0:5601/api/status": dial tcp 0.0.0.0:5601: connect: connection refused (status=0). Response:
The configuration of the filebeat.yml file looks like this.
=================================== Kibana ===================================
setup.kibana:
host: "0.0.0.0:5601"
---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
Array of hosts to connect to.
hosts: ["0.0.0.0:9200"]
ssl.certificate_authorities: ["/etc/elasticsearch/certs/elasticsearch.crt"]
ssl.certificate: "/etc/elasticsearch/certs/elasticsearch.crt"
ssl.key: "/etc/elasticsearch/certs/elasticsearch.key"
Protocol - either http
(default) or https
.
protocol: "https"
Authentication credentials - either API key or username/password.
api_key: "changed:changed changed"
username: "elastic"
#password: "changed"
- ALso have total different question.
I have network traffic coming into elastiflow from multiple FWs and Can I apply threat intelligence/filebeat on to that network traffic. So that I do not have to setup filebeat onto multiple hosts.
Or might be my concept to filebeat is wrong. But please guide me what to do and how to do.