Channels
android_tests
apple-silicon
arm-architecture
auditing-warroom
aws
carving
code-review
community-feeds
core
darkbytes
doorman
ebpf
eclecticiq-polylogyx-extension
extensions
file-carving
fim
fleet
fleet-dev
fleetosquery
foundation
fuzzing
general
golang
goquery
infrastructure
jobs
kolide
linen-dev
linux
macos
officehours
osctrl
plugins
process-auditing
querycon
queryhub
random
selfgroup
sql
tls
uptycs
vendor-feeds
website
windows
zeek
zentral
zercurity
Title
k
killahquam
08/10/2018, 9:03 PMhi all, anyone using osquery module in filebeat with ELK. all my fields in kibana starts with json. i.e json.host_identifier despite having var.namespace: true
d
defensivedepth
08/11/2018, 1:35 PMvar.use_namespace should be true by default. I have not set it, and I am seeing expected results (ie osquery.result)
k
killahquam
08/13/2018, 7:48 AM@defensivedepth not for me, a lot of items are starting as json.host_Identifier, etc
d
defensivedepth
08/13/2018, 11:34 AMWhat does your osquery module config look like? Also what version are you running?
k
killahquam
08/13/2018, 4:51 PM@defensivedepth filbeat version 6.3.2
filebeat.modules:
- module: osquery
result:
enabled: true
var.paths: [“/tmp/osquery_result”]
var.use_namespace: true
d
defensivedepth
08/13/2018, 4:58 PMhmmm. Are you doing any processing in Filebeat before outputting? Also, what does your FB output look like?
k
killahquam
08/13/2018, 5:12 PMi dont think so, the FB output from /logs u mean ?
that looks normal
d
defensivedepth
08/13/2018, 5:21 PMUnder your FB Outputs, are you sending directly to ES?
k
killahquam
08/13/2018, 5:23 PMlogstash
should it be to ES instead?
d
defensivedepth
08/13/2018, 5:29 PMWell, that is probably the issue. iirc, the osquery module uses the ES ingest node, so that is probably where some of that of that normalization is happening.
k
killahquam
08/13/2018, 5:30 PMso, send the data from filebeat to ES and then ES will deal with the rest ?
let me try
d
defensivedepth
08/13/2018, 7:01 PMYes, try that
k
killahquam
08/13/2018, 8:00 PMnope gave me an error
that connection refused but i know 9200 is open and listening
its from one box to another
d
defensivedepth
08/13/2018, 8:20 PMCan you do a successful ‘curl ElasticHost:9200’ from the FB system?
k
killahquam
08/13/2018, 8:27 PMnope connection refused
but on the elk box same this does output
so i think it just not listening outside of itself
d
defensivedepth
08/13/2018, 8:31 PMCheck the ES config file (elasticsearch.yml) for the network.host setting. https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html
k
killahquam
08/13/2018, 8:31 PMyup that was it
it wasn’t set to accept outside of 127.0.0.1
am getting a kibana error but let me check
d
defensivedepth
08/13/2018, 8:32 PMnot sure of your setup, but make sure that it isnt publicly accessible now 🙂
k
killahquam
08/13/2018, 8:32 PMyeah
it now works
thanks the issue was i wasn’t sending to elasticsearch and directly to logstash @defensivedepth thank you
🍻 1