Need help with combining Helk + filebeat + zeek

[acj014]

Hey, i installed everything (option 4) and i want to connect my zeek logs to Helk now, which i tried to do with the manual from kibana/tutorial/zeekLogs, the problem is that i cannot find my elasticsearch url. Also i had to disable ssl.verification_mode in filebeat to talk to my "self created certificate". Which port should elasticsearch run on ? I see that under docker ps the elasticsearch machine uses 9200 which is not forwarded to my local system. Should i just enter https://localhost:443 or is it something different ?

Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://192.168.228.118:443/elasticsearch: 404 Not Found: {"statusCode":404,"error":"Not Found","message":"Not Found"}]

Thats my current error...

[Cyb3rWard0g]

Hey @acj014 ! Yeah Elasticsearch is not exposed via Docker. We do not enable it by default. however, you can do it by modifying the helk-ekasticsearch service in the docker compose file you use. For example: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-kibana-analysis-basic.yml#L4 . You can add something similar to what we have in the helk-logstash service in the docker compose file: https://github.com/Cyb3rWard0g/HELK/blob/master/docker/helk-kibana-analysis-basic.yml#L58

[acj014]

Thanks for the fast reply. I did the exposal by myself yesterday and tried to send the zeek logs directly with filebeat to elasticsearch on port 9200. Filebeat Service is running, and i dont get any errors, but there wont appear any data on my kibana zeek dashboard. Is this the way its supposed to be ? Or should i send any logs to kafka or logstash ? See attached my zeek.yml and filebeat.yml filebeat.yml.txt Zeek.yml.txt