https://github.com/frosky/ELK-Installation/blob/main/SIEM.md
Can you go through this link and tell me whether the steps mentioned in this tutorial are correct or not?
Stephen I did what you told me, but now I am getting this error
</>
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://localhost:9200: Get "http://localhost:9200": dial tcp 127.0.0.1:9200: connect: connection refused]
</>
No sorry I can not... the problem is there are 100s of these types of helps... they often are not kept up to date... or are not correct.
But quick glance those instructions are for 7.x and you are using 8.x ...
There is no mention of setup ... now I told you how to do that... and the logstash is wrong because it is 7.x version not 8.x version
so the logastash should look like
input {
beats {
port => 5044
}
}
output {
if [@metadata][pipeline] {
elasticsearch {
hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
action => "create"
pipeline => "%{[@metadata][pipeline]}"
user => "elastic"
password => "secret"
}
} else {
elasticsearch {
hosts => "https://061ab24010a2482e9d64729fdb0fd93a.us-east-1.aws.found.io:9243"
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
action => "create"
user => "elastic"
password => "secret"
}
}
}
I have to add the commands you mention above in these two files right?
sudo nano /etc/logstash/conf.d/2-beats-input.conf
sudo nano /etc/logstash/conf.d/2-elasticsearch-output.conf
First your tutorial assume 7.x which does not setup SSL and Authentication by Default, If you used 8.4 then did you understand that SSL and authentication is set up be default? Did you notice?
There are big changes between 7.x and 8.x ... your tutorial is missing many configs for 8.x it will not work for 8.x.
Have you trying to curl elasticsearch?
curl -k -u elastic https://localhost:9200
You need to choose to either use 7.x (which you probably should) or 8.x then you will need to properly config to work with the certs and SSL etc... non of that is in that tutorial.
I would clean up and try 7.17.6
Can you post a link of any tutorial for 8.x
When I try to curl elasticsearch I get this error
curl: (35) error:0A00010B:SSL routines::wrong version number
When you don't show the actual command you ran the result is basically useless.
No I recommend our docs / quckstarts etc...
Our docs show you how to setup Default 8.x elasticsearch and kibana out of the box...
You literally install them making no changes and follow the prompts...
Elasticsearch
Kiabana
But if you just want it to work and not learn about the components and don't need the stack secured just use 7.17
Good Luck!
You should open a separate / new thread on that.
Looks like Kibana does not have access to the internet.
This will be a non-trivial fix if you are on a closed network.
Did you click on the link
your own registry
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.