bitsensor
Required config for ssl config for elk
We configured the ELK with ssl based. How to config Elastalert with SSL based authentication? please share the SSL parameter to pass it config.json and elastalert.yaml ??
Kibana.yml
[root@elk-logging elastalert]# cat /etc/kibana/kibana.yml server.host: "elk-logging" server.port: 5601 elasticsearch.hosts: ["https://elk-logging.xxcxcx.net:9200"] elasticsearch.password: XXXXXCXCX
Elasticsearch from/to Kibana
elasticsearch.ssl.certificateAuthorities: /etc/kibana/certs/ca/ca.crt elasticsearch.ssl.certificate: /etc/kibana/certs/kibana.crt elasticsearch.ssl.key: /etc/kibana/certs/kibana.key elasticsearch.ssl.verificationMode: none
Browser from/to Kibana
server.ssl.enabled: true server.ssl.certificate: /etc/kibana/certs/kibana.crt server.ssl.key: /etc/kibana/certs/kibana.key
Elasticsearch authentication
xpack.security.enabled: true elasticsearch.username: elastic server.defaultRoute: /app/wazuh
#Elastalert Hosts elastalert-kibana-plugin.serverHost: elk-logging elastalert-kibana-plugin.serverPort: 3030
elastalert -- config [root@elk-logging config]# cat config.json { "appName": "elastalert-server", "port": 3030, "wsport": 3333, "elastalertPath": "/opt/elastalert", "verbose": true, "es_debug": true, "debug": true, "rulesPath": { "relative": true, "path": "/rules" }, "templatesPath": { "relative": true, "path": "/rule_templates" }, "es_host": "elk-logging", "es_username": "elastic", // Option basic-auth username and password for Elasticsearch "es_password": "XXXXXCXCX", // Option basic-auth username and password for Elasticsearch "es_ssl": true, // Enable/Disable SSL "es_ca_certs": "/etc/elasticsearch/certs/ca/ca.crt", // Path to ca for ElasticSearch (SSL must be enabled) "es_client_cert": "/etc/elasticsearch/certs/elasticsearch.crt", // Path to cert for ElasticSearch (SSL must be enabled) "es_client_key": "/etc/elasticsearch/certs/elasticsearch.key", // Path to key for ElasticSearch (SSL must be enabled) "es_port": 9200, "writeback_index": "elastalert_status" }
Elastalert Elasticsearch.yaml
The elasticsearch hostname for metadata writeback
Note that every rule can have its own elasticsearch host
es_host: elk-logging
The elasticsearch port
es_port: 9200
This is the folder that contains the rule yaml files
Any .yaml file will be loaded as a rule
rules_folder: rules
How often ElastAlert will query elasticsearch
The unit can be anything from weeks to seconds
run_every: seconds: 5
ElastAlert will buffer results from the most recent
period of time, in case some log sources are not in real time
buffer_time: minutes: 1
Optional URL prefix for elasticsearch
#es_url_prefix: elasticsearch
Connect with TLS to elasticsearch
use_ssl: True
Verify TLS certificates
verify_certs: True client_cert: "/etc/elasticsearch/certs/elasticsearch.crt" client_key: "/etc/elasticsearch/certs/elasticsearch.key" ca_certs: "/etc/elasticsearch/certs/ca/ca.crt"
GET request with body is the default option for Elasticsearch.
If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
for details
#es_send_get_body_as: GET
Option basic-auth username and password for elasticsearch
es_username: elastic es_password: XXXXXXCXXX
The index on es_host which is used for metadata storage
This can be a unmapped index, but it is recommended that you run
elastalert-create-index to set a mapping
writeback_index: elastalert_status
If an alert fails for some reason, ElastAlert will retry
sending the alert until this time period has elapsed
alert_time_limit: days: 2
[root@elk-logging elastalert]# docker start --interactive elastalert
@bitsensor/[email protected] start /opt/elastalert-server sh ./scripts/start.sh
14:31:12.693Z INFO elastalert-server: Config: No config.dev.json file was found in /opt/elastalert-server/config/config.dev.json.
14:31:12.696Z INFO elastalert-server: Config: Proceeding to look for normal config file.
14:31:12.697Z INFO elastalert-server: Config: A config file was found in /opt/elastalert-server/config/config.json. Using that config.
14:31:12.720Z INFO elastalert-server: Router: Listening for GET request on /.
14:31:12.720Z INFO elastalert-server: Router: Listening for GET request on /status.
14:31:12.721Z INFO elastalert-server: Router: Listening for GET request on /status/control/:action.
14:31:12.721Z INFO elastalert-server: Router: Listening for GET request on /status/errors.
14:31:12.721Z INFO elastalert-server: Router: Listening for GET request on /rules.
14:31:12.723Z INFO elastalert-server: Router: Listening for GET request on /rules/:id.
14:31:12.723Z INFO elastalert-server: Router: Listening for POST request on /rules/:id.
14:31:12.723Z INFO elastalert-server: Router: Listening for DELETE request on /rules/:id.
14:31:12.723Z INFO elastalert-server: Router: Listening for GET request on /templates.
14:31:12.723Z INFO elastalert-server: Router: Listening for GET request on /templates/:id.
14:31:12.724Z INFO elastalert-server: Router: Listening for POST request on /templates/:id.
14:31:12.724Z INFO elastalert-server: Router: Listening for DELETE request on /templates/:id.
14:31:12.724Z INFO elastalert-server: Router: Listening for POST request on /test.
14:31:12.724Z INFO elastalert-server: Router: Listening for GET request on /config.
14:31:12.724Z INFO elastalert-server: Router: Listening for POST request on /config.
14:31:12.724Z INFO elastalert-server: Router: Listening for POST request on /download.
14:31:12.724Z INFO elastalert-server: Router: Listening for GET request on /metadata/:type.
14:31:12.725Z INFO elastalert-server: Router: Listening for GET request on /mapping/:index.
14:31:12.725Z INFO elastalert-server: Router: Listening for POST request on /search/:index.
14:31:12.742Z ERROR elastalert-server:
Server: Starting server failed with error: TypeError: object must be passed
at module.exports (/opt/elastalert-server/node_modules/object-resolve-path/object-resolve-path.js:13:11)
at ServerConfig.get (/opt/elastalert-server/src/common/config/server_config.js:32:12)
at /opt/elastalert-server/src/elastalert_server.js:67:58
at /opt/elastalert-server/src/common/config/server_config.js:60:9
at Array.forEach (
TypeError: Cannot read property 'clients' of null at Timeout._onTimeout (/opt/elastalert-server/src/common/websocket.js:22:7) at listOnTimeout (internal/timers.js:531:17) at processTimers (internal/timer
kibana.yml configurations -
elastalert-kibana-plugin.serverHost: <HostName.Domain.com>
elastalert-kibana-plugin.serverPort: 443
elastalert-kibana-plugin.serverSsl: true
Is it docker? .. What is the docker image name of elastalert-server specified?
If you do not delete the comments after "//" and "//", an error should occur. Also, are the es_ca_certs, es_client_cert, and es_client_key files mounted when the docker container is started so that they can be referenced from within the docker container?
"es_username": "elastic", // Option basic-auth username and password for Elasticsearch
"es_password": "XXXXXCXCX", // Option basic-auth username and password for Elasticsearch
"es_ssl": true, // Enable/Disable SSL
"es_ca_certs": "/etc/elasticsearch/certs/ca/ca.crt", // Path to ca for ElasticSearch (SSL must be enabled)
"es_client_cert": "/etc/elasticsearch/certs/elasticsearch.crt", // Path to cert for ElasticSearch (SSL must be enabled)
"es_client_key": "/etc/elasticsearch/certs/elasticsearch.key", // Path to key for ElasticSearch (SSL must be enabled)
after
"es_username": "elastic",
"es_password": "XXXXXCXCX",
"es_ssl": true,
"es_ca_certs": "/etc/elasticsearch/certs/ca/ca.crt",
"es_client_cert": "/etc/elasticsearch/certs/elasticsearch.crt",
"es_client_key": "/etc/elasticsearch/certs/elasticsearch.key",
As a precaution when debugging, note that the alert will not be skipped if debug is set to true in config.json of ElastAlert Server.
example
"es_debug": false,
"debug": false,
I think that elastalert-kibana-plugin has been discontinued, so I don't think it will be fixed even if it doesn't work due to a bug.
Is it docker? .. What is the docker image name of elastalert-server specified?
with latest image bitsensor/elastalert:3.0.0-beta.0
I think that elastalert-kibana-plugin has been discontinued, so I don't think it will be fixed even if it doesn't work due to a bug.
any alternative tool for GUI Based Kibana alert Plugin?
with latest image bitsensor/elastalert:3.0.0-beta.0
bitsensor / elastalert does not have the following settings. This is a setting added to the fork johnsusek / elastalert-server (former repository ServerCentral / elastalert-server).
"es_ssl": true,
"es_ca_certs": "/etc/elasticsearch/certs/ca/ca.crt",
"es_client_cert": "/etc/elasticsearch/certs/elasticsearch.crt",
"es_client_key": "/etc/elasticsearch/certs/elasticsearch.key",
any alternative tool for GUI Based Kibana alert Plugin?
Praeco. By the way, I'm the co-maintainer of Praeco. https://github.com/johnsusek/praeco
By the way, I'm also the co-maintainer of johnsusek / elastalert-server. https://github.com/johnsusek/elastalert-server
It forks elastalert-kibana-plugin and supports up to Kibana 7.9.3. It needs to be remade to support Kibana 7.10 or later, and it has not been started yet. https://github.com/nsano-rururu/elastalert-kibana-plugin
It forks elastalert-kibana-plugin and supports up to Kibana 7.9.3. It needs to be remade to support Kibana 7.10 or later, and it has not been started yet. https://github.com/nsano-rururu/elastalert-kibana-plugin
by the way am using kibana 7.9.3 version for the elastalert kibana plugin..
It forks elastalert-kibana-plugin and supports up to Kibana 7.9.3. It needs to be remade to support Kibana 7.10 or later, and it has not been started yet. https://github.com/nsano-rururu/elastalert-kibana-plugin
Looking for it ASAP. Thank for the quick reply and response.
Ask a question in the repository you are maintaining https://github.com/Karql/elastalert-kibana-plugin