I just configuration Exebox with Elasticsearch and Suricata but Elasticsearch not get event from Suricata so how can I add Suricata event to Elasticsearch ?
Please guide me how to add Suricata event to Elasticsearch.
Best regards,
Hi @rayobe4014 Welcome to the community...
Perhaps take a look at the following
Filebeat quickstart just substitute the suricata module... follow the steps exactly
The module
Some help here
Do I need to do the same server (Suricata and Elastic in 1 server ) or I need to separate server 1 for Suricata and 1 for Elastic ? Because my project is deploy Suricata send logs to Elastic and view dashboard on Evebox.
Can you recommend for me please, If I do wrong way please guide me to do a right way
Best regards.
You will need to follow the Suricata documentation recommendations as this is The Elastic community forum, and I am not an expert on Suricata.
In general, it is not the best practice to install other resource-intensive applications on the same VM / Host as Elasticsearch, so my initial advice would be to not put them on the same host.
Perhaps check with the Suricata Forum:
Or perhaps someone other than I will make a suggestion... perhaps @leandrojmp
I do not use Suricata so I do not know how resource intensive it is.
But it is recommended for Elasticsearch to be the only service running on the server.
To get logs from Suricata, there is a native Elastic Agent integration that you could use, so you would need also Kibana and Fleet Server.
So you could have one server running Elasticsearch + Kibana + Fleet Server and another one with Suricata + Elastic Agent with Suricata integration.
Can u please recommend me about performance and spec of server please.
I just install Elastic+kibana+ Fleet server successful
but when I try to install agent on suricat server I got this error
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:y
[ ==] Service Started [32s] Elastic Agent successfully installed, starting enrollment.
[====] Waiting For Enroll... [33s] {"log.level":"info","@timestamp":"2024-04-09T00:20:30.689-0400","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":519},"message":"Starting enrollment to URL: https://192.168.15.11:8220/","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [33s] {"log.level":"info","@timestamp":"2024-04-09T00:20:31.260-0400","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":528},"message":"1st enrollment attempt failed, retrying for 10m0s, every 1m0s enrolling to URL: https://192.168.15.11:8220/","ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.13/fleet-troubleshooting.html
[== ] Uninstalled [35s] Error uninstalling. Printing logs
{debug 2024-04-09 00:20:31.78147904 -0400 EDT m=+52.369115206 processes Error fetching PID info for 2, skipping: FillPidMetrics: error getting metadata for pid 2: error fetching exe from pid 2: readlink /proc/2/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78157317 -0400 EDT m=+52.369209328 processes Error fetching PID info for 3, skipping: FillPidMetrics: error getting metadata for pid 3: error fetching exe from pid 3: readlink /proc/3/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78163741 -0400 EDT m=+52.369273570 processes Error fetching PID info for 4, skipping: FillPidMetrics: error getting metadata for pid 4: error fetching exe from pid 4: readlink /proc/4/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781699306 -0400 EDT m=+52.369335457 processes Error fetching PID info for 5, skipping: FillPidMetrics: error getting metadata for pid 5: error fetching exe from pid 5: readlink /proc/5/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78176718 -0400 EDT m=+52.369403340 processes Error fetching PID info for 6, skipping: FillPidMetrics: error getting metadata for pid 6: error fetching exe from pid 6: readlink /proc/6/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781831391 -0400 EDT m=+52.369467541 processes Error fetching PID info for 7, skipping: FillPidMetrics: error getting metadata for pid 7: error fetching exe from pid 7: readlink /proc/7/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781913273 -0400 EDT m=+52.369549424 processes Error fetching PID info for 8, skipping: FillPidMetrics: error getting metadata for pid 8: error fetching exe from pid 8: readlink /proc/8/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173
But when I try to set fleet server to http:// ip add:8220
I can't add fleet sever.
When I try to add https it's success but I failed when I try to install agent on Suricata server please guide me how to solve this problem sir
Best regards.
Perhaps the trouble shooting guide... For that exact error
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.