QUESTION ABOUT ELK SIEM

Firas_Bougrine · April 6, 2022, 8:29pm

# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
#       Before you set out to tweak and tune the configuration, make sure you
#       understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluste>
#
# Please consult the documentation for further information on configuration opt>
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
#cluster.name: my-application
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by com>
#
path.data: /var/lib/elasticsearch
#
# Path to log files:
#
path.logs: /var/log/elasticsearch
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# By default Elasticsearch is only accessible on localhost. Set a different
# address here to expose this node on the network:
#
network.host: 0.0.0.0
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
# By default Elasticsearch listens for HTTP traffic on the first free port it
# finds starting at 9200. Set a specific HTTP port here:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
#discovery.seed_hosts: ["host1", "host2"]
#
# Bootstrap the cluster using an initial set of master-eligible nodes:
#
cluster.initial_master_nodes: ["node-1", "node-2"]
# For more information, consult the discovery and cluster formation module docu>
#
# ---------------------------------- Various ---------------------------------
#----------------------- BEGIN SECURITY AUTO CONFIGURATION -------------------->
#
# The following settings, TLS certificates, and keys have been automatically   >
# generated to configure Elasticsearch security features on 05-04-2022 22:37:23
#
# ----------------------------------------------------------------------------->

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, >
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
cluster.initial_master_nodes: ["elastic"]

# Allow HTTP API connections from localhost and local networks
# Connections are encrypted and require user authentication
http.host: [_local_, _site_]

# Allow other nodes to join the cluster from localhost and local networks
# Connections are encrypted and mutually authenticated
#transport.host: [_local_, _site_]

#----------------------- END SECURITY AUTO CONFIGURATION ---------------------->

type or paste code here
````Preformatted text`

stephenb · April 7, 2022, 1:03am

You have 2 different settings

cluster.initial_master_nodes: ["node-1", "node-2"]

cluster.initial_master_nodes: ["elastic"]

comment out the second one....

I would also review this section of the doc

How many nodes cluster are you trying to start?

Firas_Bougrine · April 7, 2022, 1:41pm

done thanks it's work finaly

Firas_Bougrine · April 7, 2022, 1:45pm

i have other question what's mean when i put in network.host: 0.0.0.0 , what's this (0.0.0.0) ?

FALEN · April 11, 2022, 2:03pm

Its actually binds all the IPs available in the server, this helps if you are using reverse proxy, external ip or multiple network interfaces. If you have single IP, you can change it to that. But i prefer to left it 0.0.0.0. Because if you change it to spesific IP, that can block localhost:9200 access which probably configured within your kibana

Firas_Bougrine · April 13, 2022, 10:24am

firas@elastic:~$ sudo systemctl restart elasticsearch.service
Job for elasticsearch.service failed because a timeout was exceeded.
See "systemctl status elasticsearch.service" and "journalctl -xe" for details.
firas@elastic:~$ sudo systemctl restart elasticsearch.service
firas@elastic:~$ sudo nano  /etc/elasticsearch/elasticsearch.yml

why when I tried to (restart) Elasticsearch it does not start and when I repeat the restart again it works You sent With kibana also what is the cause of this delay?

system · May 11, 2022, 10:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.