using module panw

376 views
Skip to first unread message

Steven Wegner

unread,
Apr 13, 2022, 3:59:20 PM4/13/22
to Wazuh mailing list

I am trying to enable the panw module following the instruction form within local elastic seach instructions at /tutorial/panwLogs

I ran:

./filebeat modules enable panw    (ran successfully and the panw module is enabled)

Then I run:

./filebeat setup

ILM policy and write alias loading not enabled.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": dial tcp [::1]:5601: connect: connection refused. Response: .


I can access via curl:


 curl -u "elastic:XXXXXXXXXXXXX" -k "https://localhost:9200"
{
  "name" : "elasticsearch",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "zQQhPEX9RfSenSkSYBNVRg",
  "version" : {
    "number" : "7.14.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "6bc13727ce758c0e943c3c21653b3da82f627f75",
    "build_date" : "2021-09-15T10:18:09.722761972Z",
    "build_snapshot" : false,
    "lucene_version" : "8.9.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Any ideas where I have gone astray? Thank you!



###filebeat.yml###

# Wazuh - Filebeat configuration file
output.elasticsearch.hosts: ["127.0.0.1:9200"]
output.elasticsearch.password: XXXXXXXXXXXXXXXXXXXX

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

filebeat.config.modules:
  enabled: true
  path: ${path.config}/modules.d/*.yml

setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
output.elasticsearch.username: elastic

###kibana.yml###

server.host: 192.168.100.37
server.port: 443
server.publicBaseUrl: "https://wazuh02.mydomain.local:5601"
elasticsearch.hosts: https://localhost:9200
elasticsearch.password: XXXXXXXXXXXXXXXXXXXX

# Elasticsearch from/to Kibana

elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt
elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt
elasticsearch.ssl.key: /etc/kibana/certs/kibana.key

# Browser from/to Kibana
server.ssl.enabled: true
server.ssl.certificate: /etc/kibana/certs/kibana.crt
server.ssl.key: /etc/kibana/certs/kibana.key

# Elasticsearch authentication
xpack.security.enabled: true
elasticsearch.username: elastic
uiSettings.overrides.defaultRoute: "/app/wazuh"
elasticsearch.ssl.verificationMode: certificate
telemetry.banner: false

###elasticearch.yml###

network.host: 127.0.0.1
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch

# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt

# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt

# Elasticsearch authentication
xpack.security.enabled: true

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch


###panw.yml###

# Module: panw
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.14/filebeat-module-panw.html

- module: panw
  panos:
    enabled: true

    # Set which input to use between syslog (default) or file.
    var.input:syslog

    # Set custom paths for the log files. If left empty,
    # Filebeat will choose the paths depending on your OS.
    #var.paths:

    # Set internal security zones. used to determine network.direction
    # default "trust"
    var.internal_zones:trust

    # Set external security zones. used to determine network.direction
    # default "untrust"
    var.external_zones:untrust

Isaac Yusuf

unread,
Sep 20, 2022, 11:14:05 AM9/20/22
to Wazuh mailing list

Hello Steven,

Apologies for the delayed response.
Can you share with me the "instructions at /tutorial/panwLogs" that you seem to have used to achieve this task?

There are a couple of things we will troubleshoot to check the health status

Check the status of filebeat:

systemctl status filebeat

Check the status of kibana:

systemctl status kibana -l

Test communication between filebeat and wazuh-indexer:

filebeat test output

Test the config of filebeat:

filebeat test config

Could you also provide the logs in /var/log on your elasticsearch server?
Share with me the result of these tests and the logs so we know how to proceed further.

Reply all
Reply to author
Forward
0 new messages