Has anyone got the Threat Feed in elastic working? If so could you share your filebeat.yml sample so that I can refer to it. I cannot get filebeat to start using the module samples provided by elastic.
What errors do u get? Can u post ur config and logs?
I am using the default filebeat.yml and trying to add the following modules to it, like this
- module: threatintel
abuseurl:
enabled: true
var.input: httpjson
var.url: https://urlhaus-api.abuse.ch/v1/urls/recent/
var.interval: 60m
When I try to start the filebeat service it fails.
When u post code use the code tags for formatting. I assume the indentation is correct in ur yaml file? If u run filebeat from the cli and add -e to run in debug, can u post the output so we can see where it's failing?
Hi Tanner,
The reason this isn't working is because you don't put those entries in the filebeat.yml file, they go in the threatintel.yml file which lives in the modules.d sub-folder.
Remove those entries from your filebeat.yml file, and put them in the /etc/filebeat/modules.d/threatintel.yml and you should be fine.
When you examine that file, you'll probably discover the entries are already present.
Thank you so much we will try that. So no modifications needed for filebeat except in output section for our cloud I’d and cloud auth information. And then making sure that the threat feed modules are listed and enabled as true in the modules yml. Did I state that right?
It sounds right, but I'm not expert - I'm still trying to get my Misp feed to work!
Also, I'm doing everything on-prem, so I have no clue about cloud based environments.
Good luck!
The module configs can go in either file if I. The filebeat.yml, they need to be nested under
filebeat.modules:
or they can be in their respective module file. If u run filebeat modules list, does the threat Intel module show as enabled?
Pretty sure it's enabled by default.
Yes that is where we initially nested them but could not get filebeat to start as a service. We will check the modules yml to see if that works for us.
Modules are not enabled by default. You have to enable them by running filebeat modules enable <module> or by manually updating the module files/filebeat.yml with the module config.
run filebeat -e to see what the output in debug mode to see why it's crashing.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.