Hi,
i'm pretty new to ELK and struggling a lot.
I try to read my suricata log with filebeat and visualize it with kibana.
But the dashboard is empty:
0 events and "No results found".
Suricata is running and constantly updating eve.json.
This is my filebeat.yml:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://elasticsearch.scidom.de:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "****************"
ssl:
enabled: true
verification_mode: none
## ssl.ca_trusted_fingerprint: "A3:BC:D6:00:25:A5:D2:10:47:C5:C0:3A:C3:70:0C:56:CC:EC:73:B1:A2:64:40:F7:0C:96:C6:96:B9:82:9F:DF"
filebeat.config.modules.path: ${path.config}/modules.d/*.yml
setup.kibana:
host: "http://elasticsearch.scidom.de:5601"
I know that these settings are unsecure, it's just a test environment.
This is my module configuration:
# Module: suricata
# Docs: https://www.elastic.co/guide/en/beats/filebeat/8.11/filebeat-module-suricata.html
- module: suricata
# All logs
eve:
enabled: true
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
var.paths: ["/var/log/suricata/eve.json"]
I followed the instructions in Kibana: "Add integration".
When i choose on the webpage with the instructions "Check data", it says
"Data successfully received from this module".
But i don't see anything in kibana.
Check the Kibana index pattern: Make sure that the index pattern you're using in Kibana matches the indices where Filebeat is sending the Suricata logs.
Hi,
thanks for your answer. I found out the index where the data is sent but how can i find out the index kibana uses ?
I also found this: .ds-filebeat-8.11.3-2024.01.17-000001 0 r UNASSIGNED CLUSTER_RECOVERED
My index has just one replica shard and is not assigned. I think that's not correct.
Can i change the type of the shard to primary? How ?
And how can i assign it ? It's just a testing environment and i have only one elastic node.
Elasticsearch tries to place the primary and replica shards on different nodes for redundancy. But since you have only one node, it can't assign the replica shard.
To remove the replica shard, you can update the number of replicas to 0 for your index:
PUT /<your-index-name>/_settings
{
"number_of_replicas": 0
}
As for finding out the index Kibana uses, it depends on the visualization or dashboard you're looking at. In most cases, you would select the index when creating the visualization or dashboard. If you're not sure, you can check the settings of the visualization or dashboard in Kibana.
Unfortunately it's not fine anymore.
Replicas still zero, cluster green, but i don't see any data in the dashboard from suricata. Suricate is running and permanently writing events. I see the events in Kibana under "Analytics ==> Discover", but the dashboard is empty.
"filebeat setup" on the suricata host ran fine.
If there are any filters or queries applied to the Dashboard or its visualizations, make sure they match your data.
Check the field you use in the visualization might not exist in your data or might contain different values than expected.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.