I've deployed a standalone elastic-agent on my host machine where ELK is running.
I've add the MISP integration policy to this standalone agent with https://localhost as MISP url variable. It's self signed certificate.
The following error "message":"Post \"https://localhost/events/restSearch\": x509: certificate signed by unknown authority"
{"log.level":"error","@timestamp":"2023-03-18T22:33:55.333+0100","message":"request failed","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"httpjson-default","type":"httpjson"},"log":{"source":"httpjson-default"},"log.origin":{"file.line":553,"file.name":"go-retryablehttp@v0.6.6/client.go"},"service.name":"filebeat","id":"httpjson-ti_misp.threat-5a6d0281-31a7-4cf9-b069-7c9610e62eb9","method":"POST","log.logger":"input.httpjson-cursor.retryablehttp","input_source":"https://localhost/events/restSearch","input_url":"https://localhost/events/restSearch","error":{"message":"Post \"https://localhost/events/restSearch\": x509: certificate signed by unknown authority"},"url":"https://localhost/events/restSearch","ecs.version":"1.6.0","ecs.version":"1.6.0"}
{"log.level":"error","@timestamp":"2023-03-18T22:33:55.333+0100","message":"Error while processing http request: failed to execute rf.collectResponse: failed to execute http client.Do: failed to execute http client.Do: failed to read http.response.body: Post \"https://localhost/events/restSearch\": Post \"https://localhost/events/restSearch\": x509: certificate signed by unknown authority","component":{"binary":"filebeat","dataset":"elastic_agent.filebeat","id":"httpjson-default","type":"httpjson"},"log":{"source":"httpjson-default"},"service.name":"filebeat","input_url":"https://localhost/events/restSearch","log.origin":{"file.line":135,"file.name":"httpjson/input.go"},"id":"httpjson-ti_misp.threat-5a6d0281-31a7-4cf9-b069-7c9610e62eb9","input_source":"https://localhost/events/restSearch","ecs.version":"1.6.0","log.logger":"input.httpjson-cursor","ecs.version":"1.6.0"}
Is there a way to put it insecure in elastic-agent.yml
config file like when we curl
with -k
argument ?
Update Post
Unfortunately you can't reach the misp server using http
it has to be https
.
I've found the following files related to misp certificate
:
sudo find /etc -name "*misp*":
/etc/ssl/private/misp.local.crt
/etc/ssl/private/misp.local.key
Ok i think i found it. There is a ssl.verification_mode
setting in the MISP integration policy that i have to attach to elastic agent.
Basically you just have to replace in elastic-agent.yml
config file this line:
request.ssl: null
by these lines:
request.ssl:
verification_mode: none
Then you have to make a ./elastic-agent install
then the error disapear and a new one comes up