( sorry in advance - im new here, so there will be many silly questions
When I do
curl --insecure -X GET "https://0.0.0.0:9200/?pretty" -u elastic:pword
I get that "you know, you search" message.
If i use Mozilla browser - i cant access.
And my cluster is all gone - by that I mean I do not see filebeat, auditbeat, packetbeat - through metricbeat.
But now I am able to see Detections tab - its empty but without that "setting up" warning message.
So this means that TLS connection established between elasticsearch and kibana?
If so, how do I get all beats back to live? Sorry to say but it is very unclear in the guides.
I do not have ca.pem in kpi folder, kpi folder is empty. I dont see any .key files.
When I was doing certificate I received elasticsearch-ssl-http.zip file, so I have unzipped it and done like so:
Can anyone help with the issue?
Main question is how do I properly secure Kibana and Elasticsearch + all beats that I am using (metricbeat, auditbeat, packetbeat, filebeat). Possibly any links that can be useful in doing this?
If this type of topic should not be discussed on the forum - possibly I can contact any moderator privately? So I can discuss and describe the steps I have done?
copied HTTP certs to the same directory : cp /etc/elasticsearch/http.p12 /home/es/config/certs
And to http
For each additional Elastic product that you want to configure, copy the certificates to the relevant configuration directory. - ???
Does it include beats products? If it does where are "relevant" configuration directories? under /etc/..?
Update all clients, tools, and applications that connect to Elasticsearch
to use the https protocol in their configuration URL.
For example, Kibana, Beats, Logstash, language clients, and custom applications.
for me that is:
/etc/kibana/kibana.yml
/etc/filebeat/filebeat.yml #protocol: "https" - for elasticsearch output
/etc/auditbeat/auditbeat.yml #protocol: "https"
/etc/metricbeat/metricbeat.yml #protocol: "https"
/etc/metricbeat/modules.d/lasticsearch-xpack.yml #https
/etc/packetbeat/packetbeat.yml #protocol: "https"
bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost, 0.0.0.0
Certificates written to /usr/share/elasticsearch/sk1f_kibana.p12
Certificates written to /usr/share/elasticsearch/certificate-bundle.zip
/usr/share/elasticsearch/bin/elasticsearch-certutil cert -name sk1f_kibana -dns localhost,0.0.0.0 -pem #here tried to use pem to see if there will be .key output.
cp /usr/share/elasticsearch/certificate-bundle.zip /home/es/config/certs/
cp /usr/share/elasticsearch/sk1f_kibana.p12 /home/es/config/certs/
sudo cp certificate-bundle.zip /home/es/config/certs/kibana-server/ # -tried to use pem format in case if p12 not going to work
in kibana.yml : server.ssl.keystore.path: "/path/to/kibana-server.p12"
["error","plugins","securitySolution"],"pid":13097,"message":"The following index patterns did not match any indices: [\"logs-endpoint.alerts-*\"] name: \"Endpoint Security\" id: \"f98df1a8-82db-11eb-906e-3fd6825689af\" rule id: \"9a1a2dae-0b5f-4c3d-8305-a268d404c306\" signals index: \".siem-signals-default\""}
["error","elasticsearch","data"],"pid":13097,"message":"Request error, retrying\nPOST https://localhost:9200/_bulk => socket hang up"}
Any advice on where is the error/how to fix it/ any help/ any reply?
All im trying to achieve is to get automatic alarm notifications from auditbeat rules. From what I can see I can do that only from activating trial licence and making tls connection. Other thing is - I have tried to use your guides - doesn't work.
You asked a rapid series of not-completely-related questions over a weekend. Please be patient, and please take the time to ask clear questions with all necessary details.
Comments like "I have tried to use your guides - doesn't work" provide no useful information. What didn't work? Where did you get stuck?
I'm having a lot of trouble working out which of your issues still exist, and which issues you have resolved.
Thank you for your reply. Sorry, did overreacted a bit - because previous to the stage of "securing" stack, guides are clear and understandable.
Before moving to configuring beats I cannot launch kibana - explained my steps in the last post written above. Possibly you will be able to see where is the mistake.
-looks like I have found error why Kibana was not able to start :
I had to chmod 660 /etc/kibana/kibana_server.p12
For next steps I will try to follow your guide and configure beats.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.