Hello team,
I'm new on ELK Stack System, so i want to apologize if my questions will be stupid.
I have installed succeffully the ELK stack system on a my server, and i have installed the agents on all my server. All is working fine.
Now i have to receive into Elastick the alerts generated from Darktrace, so i have set the IP (of the manager) and the Port (where filebeat is listen) and have set to sent the alerts as Syslog Json.
So i have opened and config the Filebeat.yml setting:
filebeat.inputs:
- type: syslog
format: auto
protocol.0.tcp:
host: ["172.18.17.8:514"]
Saved and restarted filebeat.service. Running
Filebeat -e
I got no error.
So i tried to sent a "sample alert" from darktrace (that have confirmed the succfully sent and the firewall have confirmed it too) but i don't see it in the event into Elastic search dashboard, in /var/ossec/logs/alerts/alerts.log and /var/ossec/logs/archive/archive.log
By the way, ONLY for this alerts (darktrace alerts), i tried to configure a new index into filebeat.yml setting:
setup.ilm.enabled: false
setup.template.overwrite: true
output.elasticsearch:
hosts: ["127.0.0.1:9200"]
index: "darktrace-%{[agent.version]}-%{+yyyy.MM.dd}"
username: "****"
password: "**********"
setup.template:
name: 'darktrace'
pattern: 'darktrace-*'
enabled: false
but i looking into Elastick > Stack Managment > Index , it isn't present.
Thanks in advance for your support.