hi all, anyone using osquery module in filebeat wi...
# generalk
killahquam
08/10/2018, 9:03 PMhi all, anyone using osquery module in filebeat with ELK. all my fields in kibana starts with json. i.e json.host_identifier despite having var.namespace: true
d
defensivedepth
08/11/2018, 1:35 PMvar.use_namespace should be true by default. I have not set it, and I am seeing expected results (ie osquery.result)
k
killahquam
08/13/2018, 7:48 AM@defensivedepth not for me, a lot of items are starting as json.host_Identifier, etc
d
defensivedepth
08/13/2018, 11:34 AMWhat does your osquery module config look like? Also what version are you running?
k
killahquam
08/13/2018, 4:51 PM@defensivedepth filbeat version 6.3.2
killahquam
08/13/2018, 4:51 PMfilebeat.modules:
- module: osquery
result:
enabled: true
var.paths: [“/tmp/osquery_result”]
var.use_namespace: true
d
defensivedepth
08/13/2018, 4:58 PMhmmm. Are you doing any processing in Filebeat before outputting? Also, what does your FB output look like?
k
killahquam
08/13/2018, 5:12 PMi dont think so, the FB output from /logs u mean ?
killahquam
08/13/2018, 5:12 PMthat looks normal
d
defensivedepth
08/13/2018, 5:21 PMUnder your FB Outputs, are you sending directly to ES?
k
killahquam
08/13/2018, 5:23 PMlogstash
killahquam
08/13/2018, 5:24 PMshould it be to ES instead?
d
defensivedepth
08/13/2018, 5:29 PMWell, that is probably the issue. iirc, the osquery module uses the ES ingest node, so that is probably where some of that of that normalization is happening.
k
killahquam
08/13/2018, 5:30 PMso, send the data from filebeat to ES and then ES will deal with the rest ?
killahquam
08/13/2018, 5:30 PMlet me try
d
defensivedepth
08/13/2018, 7:01 PMYes, try that
k
killahquam
08/13/2018, 8:00 PMnope gave me an error
killahquam
08/13/2018, 8:00 PMthat connection refused but i know 9200 is open and listening
killahquam
08/13/2018, 8:00 PMits from one box to another
d
defensivedepth
08/13/2018, 8:20 PMCan you do a successful ‘curl ElasticHost:9200’ from the FB system?
k
killahquam
08/13/2018, 8:27 PMnope connection refused
killahquam
08/13/2018, 8:27 PMbut on the elk box same this does output
killahquam
08/13/2018, 8:28 PMso i think it just not listening outside of itself
d
defensivedepth
08/13/2018, 8:31 PMCheck the ES config file (elasticsearch.yml) for the network.host setting. https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-network.html
k
killahquam
08/13/2018, 8:31 PMyup that was it
killahquam
08/13/2018, 8:31 PMit wasn’t set to accept outside of 127.0.0.1
killahquam
08/13/2018, 8:31 PMam getting a kibana error but let me check
d
defensivedepth
08/13/2018, 8:32 PMnot sure of your setup, but make sure that it isnt publicly accessible now 🙂
k
killahquam
08/13/2018, 8:32 PMyeah
killahquam
08/13/2018, 8:39 PMit now works
killahquam
08/13/2018, 8:39 PMthanks the issue was i wasn’t sending to elasticsearch and directly to logstash @defensivedepth thank you
🍻 1
16 Views