Hello,
I'm having trouble with what seems like a standard scenario and I can't figure out what I'm doing wrong.
The setup : I installed Elasticsearch and Kibana (version 7.8.1 for both) on the same server. I kept the configuration files for these 2 almost untouched, the only changes were (in this scenario, 192.168.10.5 is the IP address of the server) :
elasticsearch.yml :
network.host: [127.0.0.1,192.168.10.5]
node.name: es-node
cluster.initial_master_nodes: ["es-node"]
kibana.yml :
server.host: "192.168.10.5"
Elasticsearch and Kibana are both installed on a CentOS 8 (64-bit) server. To make sure that it wouldn't cause a problem, I disabled the "firewalld" service and SELinux (by setting the right option in /etc/selinux/config and then restarting the server)
I have another server (Debian 10) with Zeek 3.1.5 installed on it. Both servers are connected to the same switch and have IPs on the same subnet (192.168.10.0/24)
What I'm trying to do : I want to use the Zeek module for Filebeat and use the Kibana dashboards.
The problem : On the Zeek server, I installed Filebeat via apt (version 7.8.1), I set the configuration like this :
output.elasticsearch:
hosts: ["192.168.10.5:9200"]
setup.kibana:
host: "192.168.10.5:5601"
I then enabled the Zeek Filebeat module and then I entered :
filebeat setup
There were no errors in the returned output :
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite:true` for enabling.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards
Setting up ML using setup --machine-learning is going to be removed in 8.0.0. Please use the ML app instead.
See more: https://www.elastic.co/guide/en/elastic-stack-overview/current/xpack-ml.html
Loaded machine learning job configurations
Loaded Ingest pipelines
However, when I look at the "filebeat-*" index in the "Discover" tab of Kibana it is never populated.
And when I try to look at the Zeek pre-made dashboard, I get a lot of these errors :
I have another server (Debian 10) on the same subnet (same switch). I installed Auditbeat on it, edited the auditbeat.yml file and then run the setup command. The auditbeat-* index was successfully created and is populated (I don't know what it implies but I thought it could be relevant information)
What I tried so far :
From what I could find on these forums, I thought it might be an XPack problem, so I disabled all the XPack features in elasticsearch.yml. It didn't change anything.
I found a post in the Kibana forums which suggested that since the Zeek module had been created for Zeek 2.6.1, maybe using a version newer than 3.0.0 was the source of the problem.
I uninstalled Zeek from the Debian server and reinstalled Bro 2.6.1 (at version 2.6.1, Zeek was named Bro), I restarted Filebeat and rerun the setup command. This didn't change anything.
I thought that maybe the fact that Bro was installed in another path could still be a problem, so I edited the /etc/filebeat/modules.d/zeek.yml to add this line :
var.paths: /usr/local/bro/logs/current/*.log
I then restarted Filebeat and rerun the setup command. It didn't change anything.
Can you help me figure out what I did wrong and how I can further troubleshoot this issue ?