All-In-One and next steps
448 views
Skip to first unread message
Matt Schenkman
Oct 25, 2021, 6:55:51 PM10/25/21
to Wazuh mailing list
Hey all,
Long time Wazuh user, some-times poster. We opted to try and start fresh with an integrated AIO setup with ES, Kibana, and Wazuh. We figured that we can add cluster members and branch out starting with the AIO, but I wanted to get folks' takes on that.
Another thing I'm working on is the fact that, out of the box, Kibana operated on 443, thus any filebeat setup commands were stymied with the following error:
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://127.0.0.1:5601/api/status fails: fail to execute the HTTP GET request: Get "https://127.0.0.1:5601/api/status": x509: certificate signed by unknown authority. Response: .
My filebeat.yml is basic and looks like this:
# Wazuh - Filebeat configuration file
output.elasticsearch.hosts:
# - <elasticsearch_ip_node_2>:9200
# - <elasticsearch_ip_node_3>:9200
output.elasticsearch:
protocol: https
username: wazuh
password: ****** (redacted)
ssl.certificate_authorities:
- /etc/filebeat/certs/root-ca.pem
ssl.certificate: "/etc/filebeat/certs/filebeat.pem"
ssl.key: "/etc/filebeat/certs/filebeat-key.pem"
setup.template.json.enabled: true
setup.template.json.path: '/etc/filebeat/wazuh-template.json'
setup.template.json.name: 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false
# =================================== Kibana ===================================
# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:
#verification_mode: none
# Kibana Host
# Scheme and port can be left out and will be set to the default (http and 5601)
# In case you specify and additional path, the scheme is required: http://localhost:5601/path
# IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
host: "127.0.0.1:5601"
server.ssl.enabled: true
server.ssl.key: "/etc/kibana/certs/kibana-key.pem"
server.ssl.certificate: "/etc/kibana/certs/kibana.pem"
elasticsearch.ssl.certificateAuthorities: ["/etc/kibana/certs/root-ca.pem"]
# Kibana Space ID
# ID of the Kibana Space into which the dashboards should be loaded. By default,
# the Default Space will be used.
#space.id:
# ============================== Filebeat modules ==============================
filebeat.config.modules:
# Glob pattern for configuration loading
path: ${path.config}/modules.d/*.yml
# Set to true to enable config reloading
reload.enabled: false
# Period on which files under path should be checked for changes
#reload.period: 10s
filebeat.modules:
- module: wazuh
alerts:
enabled: true
archives:
enabled: false
Any and all help/direction is appreciated.
Maximiliano Ibarra
Oct 27, 2021, 2:18:39 PM10/27/21
to Wazuh mailing list
Hi Matt, thanks for contacting us.
First, thanks for sharing your config files.
Seeing your error message, this could be a certificates problem. For this reason, the service didn't start successfully.
First, can you tell me what Wazuh version have you installed? And what official tutorial have you followed? (If you can, add the link in this thread)
Secondly, Do you checked if your filebeat environment is running? With this command, you can check it.
Also, we need to check if your certificate's information match. Please, run these commands to verify it.
That's all for now.
I looking forward to your reply.
First, thanks for sharing your config files.
Seeing your error message, this could be a certificates problem. For this reason, the service didn't start successfully.
First, can you tell me what Wazuh version have you installed? And what official tutorial have you followed? (If you can, add the link in this thread)
Secondly, Do you checked if your filebeat environment is running? With this command, you can check it.
- filebeat test output
Also, we need to check if your certificate's information match. Please, run these commands to verify it.
- openssl x509 -noout -in /etc/elasticsearch/certs/elasticsearch.pem -subject -issuer
- openssl x509 -noout -in /etc/elasticsearch/certs/ca/root-ca.pem -subject -issuer
- openssl x509 -noout -in /etc/kibana/certs/kibana.pem -subject -issuer
- openssl x509 -noout -in /etc/kibana/certs/ca/root-ca.pem -subject -issuer
- openssl x509 -noout -in /etc/filebeat/certs/filebeat.pem -subject -issuer
- openssl x509 -noout -in /etc/filebeat/certs/ca/root-ca.pem -subject -issuer
I looking forward to your reply.
Matt Schenkman
Oct 27, 2021, 2:47:03 PM10/27/21
to Wazuh mailing list
Max,
I resolved that issue. It was certainly a cert issue. I had remmed out some cert lines and was using the wrong ssl.validation switch. I can now connect to kibana and run filebeat setup commands.
Question now though: What are the recommended filebeat commands to get the necessary indices loaded, dashboards, and all that? I've used filebeat setup only so far.
Reply all
Reply to author
Forward
0 new messages