Dear all,
I really didn't want to post a question here, and i am trying for a week to fix my issue, but i can't seem to figure this out.
I am trying to do some tests on Elastic Search Endpoint Security (using elastic as EDR) and every time I am trying to set it up, something goes wrong. I tried on my HP dl380 g5 running ESXI but no luck.
Now I am trying on my host machine, on VMware Workstation 15 pro(15.5.1) running on ubuntu Server 20.0 following almost exactly what this guide is saying.
I think I have Elasticsearch running probably fine, and I have almost completed Kibana installation. The problem is that Kibana service only runs for about 10 seconds and then it stops.
Ubuntu IP: 192.168.1.35
When I visit https://192.168.1.35:9200 as a response I am getting the message:
{
"name" : "elastic",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "HI1740PGQN-qJDsYqB6qcA",
"version" : {
"number" : "7.15.1",
"build_flavor" : "default",
"build_type" : "deb",
"build_hash" : "83c34f456ae29d60e94d886e455e6a3409bba9ed",
"build_date" : "2021-10-07T21:56:19.031608185Z",
"build_snapshot" : false,
"lucene_version" : "8.9.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
From the guide I am following, I believe he has forgotten probably to add some things that we need to uncomment. These are:
" server.port:5601"
and also add
"discovery.seed_hosts: [ ]"
The former was a trial and error from the post here but no luck with this also.
In kibana.yml the only settings I have uncommented are:
server.port: 5601
server.host: "192.168.1.35"
elasticsearch.hosts: ["https://192.168.1.35:9200"]
elasticsearch.username: "kibana_system"
server.ssl.enabled: true
server.ssl.keystore.path: /etc/kibana/http.p12
server.ssl.keystore.password: "123456"elasticsearch.ssl.certificateAuthorities: /etc/kibana/elasticsearch-ca.pem
xpack.encryptedSavedObjects.encryptionKey: "salkdjfhasldfkjhasdlfkjhasdflkasjdfhslkajfhasldkfjhasdlaksdjfh"
With these settings when I am trying to restart Kibana service I get no error messages in the terminal. If I check in the first 10 seconds the status of the service it will say "active(running)" but about 10s after I get the message:
kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2022-08-25 01:22:39 UTC; 56s ago
Docs: https://www.elastic.co
Process: 11326 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid (code=exited, status=78)
Main PID: 11326 (code=exited, status=78)Aug 25 01:22:39 elastic systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Aug 25 01:22:39 elastic systemd[1]: Stopped Kibana.
Aug 25 01:22:39 elastic systemd[1]: kibana.service: Start request repeated too quickly.
Aug 25 01:22:39 elastic systemd[1]: kibana.service: Failed with result 'exit-code'.
Aug 25 01:22:39 elastic systemd[1]: Failed to start Kibana.
Others errors I get are:
● kibana.service - Kibana
Loaded: loaded (/etc/systemd/system/kibana.service; disabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2022-08-25 01:40:58 UTC; 7s ago
Docs: https://www.elastic.co
Process: 12368 ExecStart=/usr/share/kibana/bin/kibana --logging.dest=/var/log/kibana/kibana.log --pid.file=/run/kibana/kibana.pid (code=exited, status=1/FAILURE)
Main PID: 12368 (code=exited, status=1/FAILURE)Aug 25 01:40:55 elastic kibana[12368]: column: 0
Aug 25 01:40:55 elastic kibana[12368]: }
Aug 25 01:40:55 elastic kibana[12368]: }
Aug 25 01:40:55 elastic systemd[1]: kibana.service: Main process exited, code=exited, status=1/FAILURE
Aug 25 01:40:55 elastic systemd[1]: kibana.service: Failed with result 'exit-code'.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Aug 25 01:40:58 elastic systemd[1]: Stopped Kibana.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Start request repeated too quickly.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Failed with result 'exit-code'.
Aug 25 01:40:58 elastic systemd[1]: Failed to start Kibana.
One of the errors was that "FATAL Error: [config validation of [server].ssl.keystore.password]: expected value of type [string] but got [number]"
And after this thread
I tried making some changes on the name "ELASTICSEARCH_HOSTS=["https://X.X.X.X:XXXX"]"
but with no luck.
Now If I run sudo journalctl --unit kibana -f
I get a results:
-- Logs begin at Mon 2022-08-22 19:56:30 UTC. --
Aug 25 01:40:55 elastic kibana[12368]: column: 0
Aug 25 01:40:55 elastic kibana[12368]: }
Aug 25 01:40:55 elastic kibana[12368]: }
Aug 25 01:40:55 elastic systemd[1]: kibana.service: Main process exited, code=exited, status=1/FAILURE
Aug 25 01:40:55 elastic systemd[1]: kibana.service: Failed with result 'exit-code'.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Scheduled restart job, restart counter is at 3.
Aug 25 01:40:58 elastic systemd[1]: Stopped Kibana.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Start request repeated too quickly.
Aug 25 01:40:58 elastic systemd[1]: kibana.service: Failed with result 'exit-code'.
Aug 25 01:40:58 elastic systemd[1]: Failed to start Kibana.
Edit: My elasticsearch.yml is the following:
path.logs: /var/log/elasticsearch
network.host: ["ens33", "local"]http.port: 9200
discovery.type: single-node
xpack.security.enabled: true
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: http.p12xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.client_authentication: required
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12
I am still a noob-ie trying to learn so please be kind
Does anyone with more experience than me has any idea what I might be doing wrong?
thank you