I activate the theatintel module for filebeat but still doesn t get any datas
i have this in my logs
''' Nov 1 03:00:02 hostname filebeat[560069]: {"log.level":"info","@timestamp":"2022-11-01T03:00:02.308Z","log.logger":"input.httpjson-stateless","log.origin":{"file.name":"httpjson/request.go","file.line":397},"message":"request finished: 1000 events published","service.name":"filebeat","id":"theid","input_url":"https://urlhaus-api.abuse.ch/v1/payloads/recent/","ecs.version":"1.6.0"} '''
I do not see the datas or any dashborad. Can you help please, i am new to this part of the app
Now i can see the threat intelligence data. I can even inspect the sources . i am using ECK with logstash and kafka. I already have the filebeat dashboard overview display. It is only this dashborad that i do not have
I saw an issue like this in Elastic security version 7.16. Have you tried checking space Security permissions? Check if a variable is set to true and without the # in filebeat.yml
hi @emmanuel_stevens_LED , the Threat Intelligence Overview dashboard from the Threat Intelligence Utils package only supports Elastic Agent Threat Intelligence integrations and doesn't support Filebeat integrations. But you can edit this dashboard to start showing the data coming from the filebeat integrations. You need to specify the correct index pattern (filebeat-* in your case) and adjust the filtering. Here is an example of how it might look like
i have a configuration of; (beats,kafka,logstash,elastic,kibana) in that order. I see that the elastic agent does not support kafka output, what solution you can point me to.
Will it work if i add a logstash before the kafka . so i can have a config like ( agent, logstash, kafka,logstash,elastic,kibana). Would that last configuration provide the threat dashboard ?
@emmanuel_stevens_LED it's hard to give advice without the details of your requirements. I'm not sure why you need Kafka and Logstash in front of the beats. As beats and Elastic Agent can ingest directly into Elasticsearch, by default you shouldn't need Kafka and Logstash to get the data from them into Elasticsearch. For the dashboard to work you either need the Threat Intelligence data stored in logs-* index (Elastic Agent Threat Intelligence integrations by default store the data in logs-ti_* indexes), or edit the dashboard so that the lenses in this dashboard use the index where you currently store the Threat Intelligence data
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
