I just configuration Exebox with Elasticsearch and Suricata but Elasticsearch not get event from Suricata so how can I add Suricata event to Elasticsearch ?
Please guide me how to add Suricata event to Elasticsearch.
Best regards,
Hi @rayobe4014 Welcome to the community...
Perhaps take a look at the following
Filebeat quickstart just substitute the suricata module... follow the steps exactly
The module
Some help here
Do I need to do the same server (Suricata and Elastic in 1 server ) or I need to separate server 1 for Suricata and 1 for Elastic ? Because my project is deploy Suricata send logs to Elastic and view dashboard on Evebox.
Can you recommend for me please, If I do wrong way please guide me to do a right way
Best regards.
You will need to follow the Suricata documentation recommendations as this is The Elastic community forum, and I am not an expert on Suricata.
In general, it is not the best practice to install other resource-intensive applications on the same VM / Host as Elasticsearch, so my initial advice would be to not put them on the same host.
Perhaps check with the Suricata Forum:
Or perhaps someone other than I will make a suggestion... perhaps @leandrojmp
I do not use Suricata so I do not know how resource intensive it is.
But it is recommended for Elasticsearch to be the only service running on the server.
To get logs from Suricata, there is a native Elastic Agent integration that you could use, so you would need also Kibana and Fleet Server.
So you could have one server running Elasticsearch + Kibana + Fleet Server and another one with Suricata + Elastic Agent with Suricata integration.
Can u please recommend me about performance and spec of server please.
I just install Elastic+kibana+ Fleet server successful
but when I try to install agent on suricat server I got this error
Elastic Agent will be installed at /opt/Elastic/Agent and will run as a service. Do you want to continue? [Y/n]:y
[ ==] Service Started [32s] Elastic Agent successfully installed, starting enrollment.
[====] Waiting For Enroll... [33s] {"log.level":"info","@timestamp":"2024-04-09T00:20:30.689-0400","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":519},"message":"Starting enrollment to URL: https://192.168.15.11:8220/","ecs.version":"1.6.0"}
[ =] Waiting For Enroll... [33s] {"log.level":"info","@timestamp":"2024-04-09T00:20:31.260-0400","log.origin":{"file.name":"cmd/enroll_cmd.go","file.line":528},"message":"1st enrollment attempt failed, retrying for 10m0s, every 1m0s enrolling to URL: https://192.168.15.11:8220/","ecs.version":"1.6.0"}
Error: fail to enroll: fail to execute request to fleet-server: x509: certificate signed by unknown authority
For help, please see our troubleshooting guide at https://www.elastic.co/guide/en/fleet/8.13/fleet-troubleshooting.html
[== ] Uninstalled [35s] Error uninstalling. Printing logs
{debug 2024-04-09 00:20:31.78147904 -0400 EDT m=+52.369115206 processes Error fetching PID info for 2, skipping: FillPidMetrics: error getting metadata for pid 2: error fetching exe from pid 2: readlink /proc/2/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78157317 -0400 EDT m=+52.369209328 processes Error fetching PID info for 3, skipping: FillPidMetrics: error getting metadata for pid 3: error fetching exe from pid 3: readlink /proc/3/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78163741 -0400 EDT m=+52.369273570 processes Error fetching PID info for 4, skipping: FillPidMetrics: error getting metadata for pid 4: error fetching exe from pid 4: readlink /proc/4/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781699306 -0400 EDT m=+52.369335457 processes Error fetching PID info for 5, skipping: FillPidMetrics: error getting metadata for pid 5: error fetching exe from pid 5: readlink /proc/5/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.78176718 -0400 EDT m=+52.369403340 processes Error fetching PID info for 6, skipping: FillPidMetrics: error getting metadata for pid 6: error fetching exe from pid 6: readlink /proc/6/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781831391 -0400 EDT m=+52.369467541 processes Error fetching PID info for 7, skipping: FillPidMetrics: error getting metadata for pid 7: error fetching exe from pid 7: readlink /proc/7/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173 }
{debug 2024-04-09 00:20:31.781913273 -0400 EDT m=+52.369549424 processes Error fetching PID info for 8, skipping: FillPidMetrics: error getting metadata for pid 8: error fetching exe from pid 8: readlink /proc/8/exe: no such file or directory github.com/elastic/elastic-agent-system-metrics@v0.9.2/metric/system/process/process.go:173
But when I try to set fleet server to http:// ip add:8220
I can't add fleet sever.
When I try to add https it's success but I failed when I try to install agent on Suricata server please guide me how to solve this problem sir
Best regards.
Perhaps the trouble shooting guide... For that exact error