Hello Team:
We are having a single node ELK configuration, In the same server we have installed Elasticsearch and kibana (8.3.3)
As per the guide if we are installing the Elasticsearch generates own SSL configuration default.
- elasticsearch.yml:
cluster.name: es-application
node.name: node-1
network.host: 192.168.40.147
http.port: 9200
discovery.seed_hosts: ["192.168.40.147"]
path.data: /home/log/elasticsearch/data
path.logs: /home/log/elasticsearch/log
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
enabled: true
keystore.path: certs/http.p12
xpack.security.transport.ssl:
enabled: true
verification_mode: certificate
keystore.path: certs/transport.p12
truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["node-1"]
windoiws client
winlogbeat.yml:
winlogbeat.event_logs:
- name: Application
ignore_older: 72h
- name: System
- name: Security
- name: Microsoft-Windows-Sysmon/Operational
- name: Windows PowerShell
event_id: 400, 403, 600, 800
- name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
- name: ForwardedEvents
tags: [forwarded]
setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false
setup.kibana:
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "192.168.40.147:5601"
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://192.168.40.147:9200"]
username: "elastic"
password: "AFBi4qPxGkuRNJ"
ssl:
enabled: true
ca_trusted_fingerprint: “014764bb6e1ffc6e5564a92c1ab0dv5e6c79315b41ce2b71b1e038dfc14c9f86”
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
# Pipeline to route events to security, sysmon, or powershell pipelines.
pipeline: "winlogbeat-%{[agent.version]}-routing"
# The Logstash hosts
#hosts: ["localhost:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
processors:
- add_host_metadata:
when.not.contains.tags: forwarded
- add_cloud_metadata: ~
# Set to true to enable instrumentation of winlogbeat.
#enabled: false
# Environment in which winlogbeat is running on (eg: staging, production, etc.)
#environment: ""
# APM Server hosts to report instrumentation results to.
#hosts:
# - http://localhost:8200
# API Key for the APM Server(s).
# If api_key is set then secret_token will be ignored.
#api_key:
# Secret token for the APM Server(s).
#secret_token:
My problem is with the SSL configuration (Of the Winlogbeat) I just can't get it right for some reason.
This is the error I get on the windows machine after running the setup command
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.40.147:9200: Get "https://192.168.40.147:9200": decode 'ca_trusted_fingerprint': encoding/hex: invalid byte: U+00E2 'â']