hi all anyone using osquery module in filebeat with ELK all

Question

hi all anyone using osquery module in filebeat with ELK all my fields in kibana starts with json i e json host identifier despite having var namespace true

defensivedepth · Answer

var use namespace should be true by default I have not set it and I am seeing expected results ie osquery result

killahquam · Answer

< defensivedepth> not for me a lot of items are starting as json host Identifier etc

defensivedepth · Answer

What does your osquery module config look like Also what version are you running

killahquam · Answer

< defensivedepth> filbeat version 6 3 2

killahquam · Answer

filebeat modules module osquery result enabled true var paths tmp osquery result var use namespace true

defensivedepth · Answer

hmmm Are you doing any processing in Filebeat before outputting Also what does your FB output look like

killahquam · Answer

i dont think so the FB output from logs u mean

killahquam · Answer

that looks normal

defensivedepth · Answer

Under your FB Outputs are you sending directly to ES

killahquam · Answer

logstash

killahquam · Answer

should it be to ES instead

defensivedepth · Answer

Well that is probably the issue iirc the osquery module uses the ES ingest node so that is probably where some of that of that normalization is happening

killahquam · Answer

so send the data from filebeat to ES and then ES will deal with the rest

killahquam · Answer

let me try

defensivedepth · Answer

Yes try that

killahquam · Answer

nope gave me an error

killahquam · Answer

that connection refused but i know 9200 is open and listening

killahquam · Answer

its from one box to another

defensivedepth · Answer

Can you do a successful curl ElasticHost 9200 from the FB system

killahquam · Answer

nope connection refused

killahquam · Answer

but on the elk box same this does output

killahquam · Answer

so i think it just not listening outside of itself

defensivedepth · Answer

Check the ES config file elasticsearch yml for the network host setting <https www elastic co guide en elasticsearch reference current modules network html>

killahquam · Answer

yup that was it

killahquam · Answer

it wasn t set to accept outside of 127 0 0 1

killahquam · Answer

am getting a kibana error but let me check

defensivedepth · Answer

not sure of your setup but make sure that it isnt publicly accessible now slightly smiling face

killahquam · Answer

yeah

killahquam · Answer

it now works

killahquam · Answer

thanks the issue was i wasn t sending to elasticsearch and directly to logstash < defensivedepth> thank you