using module panw
376 views
Skip to first unread message
Steven Wegner
Apr 13, 2022, 3:59:20 PM4/13/22
to Wazuh mailing list
I am trying to enable the panw module following the instruction form within local elastic seach instructions at /tutorial/panwLogs
I ran:
./filebeat modules enable panw (ran successfully and the panw module is enabled)
Then I run:
./filebeat setup
ILM policy and write alias loading not enabled.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": dial tcp [::1]:5601: connect: connection refused. Response: .
I can access via curl:
Then I run:
./filebeat setup
ILM policy and write alias loading not enabled.
Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": dial tcp [::1]:5601: connect: connection refused. Response: .
I can access via curl:
curl -u "elastic:XXXXXXXXXXXXX" -k "https://localhost:9200"
{
"name" : "elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "zQQhPEX9RfSenSkSYBNVRg",
"version" : {
"number" : "7.14.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "6bc13727ce758c0e943c3c21653b3da82f627f75",
"build_date" : "2021-09-15T10:18:09.722761972Z",
"build_snapshot" : false,
"lucene_version" : "8.9.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Any ideas where I have gone astray? Thank you!
###filebeat.yml###
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts: ["127.0.0.1:9200"]
output.elasticsearch.password: XXXXXXXXXXXXXXXXXXXX
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
filebeat.config.modules:
enabled: true
path: ${path.config}/modules.d/*.yml
setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
output.elasticsearch.username: elastic
###kibana.yml###
server.host: 192.168.100.37
server.port: 443
server.publicBaseUrl: "https://wazuh02.mydomain.local:5601"
elasticsearch.hosts: https://localhost:9200
elasticsearch.password: XXXXXXXXXXXXXXXXXXXX
# Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key
# Browser from/to Kibana
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
# Elasticsearch authentication
xpack.security.enabled: true
elasticsearch.username: elastic
uiSettings.overrides.defaultRoute: "/app/wazuh"
elasticsearch.ssl.verificationMode: certificate
telemetry.banner: false
###elasticearch.yml###
network.host: 127.0.0.1
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch
# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
# Elasticsearch authentication
xpack.security.enabled: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
###panw.yml###
# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.14/filebeat-module-panw.html
- module: panw
panos:
enabled: true
# Set which input to use between syslog (default) or file.
var.input:syslog
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Set internal security zones. used to determine network.direction
# default "trust"
var.internal_zones:trust
# Set external security zones. used to determine network.direction
# default "untrust"
var.external_zones:untrust
{
"name" : "elasticsearch",
"cluster_name" : "elasticsearch",
"cluster_uuid" : "zQQhPEX9RfSenSkSYBNVRg",
"version" : {
"number" : "7.14.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "6bc13727ce758c0e943c3c21653b3da82f627f75",
"build_date" : "2021-09-15T10:18:09.722761972Z",
"build_snapshot" : false,
"lucene_version" : "8.9.0",
"minimum_wire_compatibility_version" : "6.8.0",
"minimum_index_compatibility_version" : "6.0.0-beta1"
},
"tagline" : "You Know, for Search"
}
Any ideas where I have gone astray? Thank you!
###filebeat.yml###
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts: ["127.0.0.1:9200"]
output.elasticsearch.password: XXXXXXXXXXXXXXXXXXXX
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
filebeat.config.modules:
enabled: true
path: ${path.config}/modules.d/*.yml
setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false
output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
output.elasticsearch.username: elastic
###kibana.yml###
server.host: 192.168.100.37
server.port: 443
server.publicBaseUrl: "https://wazuh02.mydomain.local:5601"
elasticsearch.hosts: https://localhost:9200
elasticsearch.password: XXXXXXXXXXXXXXXXXXXX
# Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key
# Browser from/to Kibana
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key
# Elasticsearch authentication
xpack.security.enabled: true
elasticsearch.username: elastic
uiSettings.overrides.defaultRoute: "/app/wazuh"
elasticsearch.ssl.verificationMode: certificate
telemetry.banner: false
###elasticearch.yml###
network.host: 127.0.0.1
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch
# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
# Elasticsearch authentication
xpack.security.enabled: true
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
###panw.yml###
# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.14/filebeat-module-panw.html
- module: panw
panos:
enabled: true
# Set which input to use between syslog (default) or file.
var.input:syslog
# Set custom paths for the log files. If left empty,
# Filebeat will choose the paths depending on your OS.
#var.paths:
# Set internal security zones. used to determine network.direction
# default "trust"
var.internal_zones:trust
# Set external security zones. used to determine network.direction
# default "untrust"
var.external_zones:untrust
Isaac Yusuf
Sep 20, 2022, 11:14:05 AM9/20/22
to Wazuh mailing list
Hello Steven,
Apologies for the delayed response.
Can you share with me the "instructions at /tutorial/panwLogs" that you seem to have used to achieve this task?
There are a couple of things we will troubleshoot to check the health status
Check the status of filebeat:
systemctl status filebeat
Check the status of kibana:
systemctl status kibana -l
Test communication between filebeat and wazuh-indexer:
filebeat test output
Test the config of filebeat:
filebeat test config
Could you also provide the logs in /var/log on your elasticsearch server?
Share with me the result of these tests and the logs so we know how to proceed further.
Reply all
Reply to author
Forward
0 new messages