Alerts for Windows machines are working perfectly well. Would there be a way to configure it to show alerts from Windows and Linux (and possibly MAC) machines as well?
I don't know much about Elastalert and ElasticSearch so maybe there's something wrong with what I'm doing.
Any help is appreciated!
Provide the output of the following commands
NAME="Ubuntu"
VERSION="18.04.5 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.5 LTS"
VERSION_ID="18.04"
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a9f2e46ff1f8 otrf/helk-kafka-broker:2.4.0 "./kafka-entrypoint.…" 2 weeks ago Up 2 weeks 0.0.0.0:9092->9092/tcp, :::9092->9092/tcp helk-kafka-broker
2f1f64dbf52d docker.elastic.co/elasticsearch/elasticsearch:7.6.2 "/usr/share/elastics…" 4 weeks ago Up 2 weeks 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9300/tcp helk-elasticsearch
f3c022eb9850 confluentinc/ksqldb-server:latest "/usr/bin/docker/run" 5 weeks ago Up 2 weeks 0.0.0.0:8088->8088/tcp, :::8088->8088/tcp helk-ksql-server
0570e9f070c8 otrf/helk-spark-worker:2.4.5 "./spark-worker-entr…" 5 weeks ago Up 2 weeks helk-spark-worker
103277b34caa docker_helk-jupyter "/opt/jupyter/script…" 5 weeks ago Up 2 weeks 8000/tcp, 8888/tcp helk-jupyter
c4fca1c75982 otrf/helk-zookeeper:2.4.0 "./zookeeper-entrypo…" 5 weeks ago Up 2 weeks 2181/tcp, 2888/tcp, 3888/tcp helk-zookeeper
8a7c58fc32c5 otrf/helk-spark-master:2.4.5 "./spark-master-entr…" 5 weeks ago Up 2 weeks 7077/tcp, 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp helk-spark-master
0e24cb2b7fde otrf/helk-elastalert:latest "./elastalert-entryp…" 5 weeks ago Up 43 minutes helk-elastalert
9c4847dbaeb1 otrf/helk-nginx:0.3.0 "/opt/helk/scripts/n…" 5 weeks ago Up 2 weeks 0.0.0.0:80->80/tcp, :::80->80/tcp, 0.0.0.0:443->443/tcp, :::443->443/tcp helk-nginx
5fef22e3ed27 otrf/helk-logstash:7.6.2.1 "/usr/share/logstash…" 5 weeks ago Up 2 weeks 0.0.0.0:3515->3515/tcp, :::3515->3515/tcp, 0.0.0.0:5044->5044/tcp, :::5044->5044/tcp, 0.0.0.0:5514->5514/tcp, 0.0.0.0:5514->5514/udp, :::5514->5514/tcp, :::5514->5514/udp, 0.0.0.0:8515-8516->8515-8516/tcp, :::8515-8516->8515-8516/tcp, 0.0.0.0:8531->8531/tcp, :::8531->8531/tcp, 0.0.0.0:8515-8516->8515-8516/udp, :::8515-8516->8515-8516/udp, 9600/tcp helk-logstash
19b8212601e0 docker.elastic.co/kibana/kibana:7.6.2 "/usr/share/kibana/s…" 5 weeks ago Up 2 weeks 5601/tcp helk-kibana
What version of HELK are you using
run the command from within the HELK repo run git log -1 --oneline
I tried adding a new test rule in /etc/elastalert/rules (converted from a Sigma Rule) and got hits.
Any additionally code or log context you would like to provide
Sample Rule
alert:
- debug
description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd
filter:
- query:
query_string:
query: \*.keyword:(*ln\ \-s\ \-f\ \/etc\/passwd* OR *ln\ \-s\ \/etc\/passwd*)
index: logs-indexme-*
name: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd
priority: 1
realert:
minutes: 0
type: any
Any additional context or input you have
Result of elastalert debug
`
elastalertuser@0e24cb2b7fde:~$ python3 -m elastalert.elastalert --debug --rule test123.yml
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:elastalert:Starting up
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999902 seconds
INFO:elastalert:Queried rule c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:17 UTC to 2021-09-29 10:32 UTC: 0 / 0 hits
INFO:elastalert:Skipping writing to ES: {'rule_name': 'c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd', 'endtime': '2021-09-29T10:32:43.697022Z', 'starttime': '2021-09-29T10:17:43. 697022Z', 'matches': 0, 'hits': 0, '@timestamp': '2021-09-29T10:32:44.428544Z', 'time_taken': 0.7314908504486084}
INFO:elastalert:Ran c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:17 UTC to 2021-09-29 10:32 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-09-29 10:33 UTC
INFO:elastalert:Background configuration change check run at 2021-09-29 10:33 UTC
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999808 seconds
INFO:elastalert:Queried rule c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:18 UTC to 2021-09-29 10:33 UTC: 2 / 2 hits
INFO:elastalert:Alert for c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd at 2021-09-29T10:33:11.026Z:
INFO:elastalert:Index: logs-indexme-2021.09.29
Event_Timestamp: 2021-09-29T10:33:11.026Z
Beat_Name:
User_Name:
Host_Name:
Log_Name:
Original_Message:
INFO:elastalert:Alert for c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd at 2021-09-29T10:33:11.026Z:
INFO:elastalert:Index: logs-indexme-2021.09.29
Event_Timestamp: 2021-09-29T10:33:11.026Z
Beat_Name:
User_Name:
Host_Name:
Log_Name:
Original_Message:
INFO:elastalert:Skipping writing to ES: {'rule_name': 'c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd', 'endtime': '2021-09-29T10:33:39.337269Z', 'starttime': '2021-09-29T10:18:39. 337269Z', 'matches': 2, 'hits': 2, '@timestamp': '2021-09-29T10:33:40.049156Z', 'time_taken': 0.7118685245513916}
INFO:elastalert:Ran c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:18 UTC to 2021-09-29 10:33 UTC: 2 query hits (0 already seen), 2 matches, 0 alerts sent
INFO:elastalert:Background configuration change check run at 2021-09-29 10:34 UTC
INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-09-29 10:34 UTC
INFO:elastalert:Disabled rules are: []
INFO:elastalert:Sleeping for 59.999784 seconds
`
Describe the problem
Alerts for Windows machines are working perfectly well. Would there be a way to configure it to show alerts from Windows and Linux (and possibly MAC) machines as well?
I don't know much about Elastalert and ElasticSearch so maybe there's something wrong with what I'm doing.
Any help is appreciated!
Provide the output of the following commands
What version of HELK are you using
run the command from within the HELK repo run
git log -1 --onelineWhat steps did you take trying to fix the issue
I tried adding a new test rule in /etc/elastalert/rules (converted from a Sigma Rule) and got hits.
Any additionally code or log context you would like to provide
Sample Rule
Any additional context or input you have
Result of elastalert debug
` elastalertuser@0e24cb2b7fde:~$ python3 -m elastalert.elastalert --debug --rule test123.yml INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them but remain verbose, use --verbose instead. INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them but remain verbose, use --verbose instead. 1 rules loaded INFO:elastalert:Starting up INFO:elastalert:Disabled rules are: [] INFO:elastalert:Sleeping for 59.999902 seconds INFO:elastalert:Queried rule c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:17 UTC to 2021-09-29 10:32 UTC: 0 / 0 hits INFO:elastalert:Skipping writing to ES: {'rule_name': 'c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd', 'endtime': '2021-09-29T10:32:43.697022Z', 'starttime': '2021-09-29T10:17:43. 697022Z', 'matches': 0, 'hits': 0, '@timestamp': '2021-09-29T10:32:44.428544Z', 'time_taken': 0.7314908504486084} INFO:elastalert:Ran c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:17 UTC to 2021-09-29 10:32 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-09-29 10:33 UTC INFO:elastalert:Background configuration change check run at 2021-09-29 10:33 UTC INFO:elastalert:Disabled rules are: [] INFO:elastalert:Sleeping for 59.999808 seconds INFO:elastalert:Queried rule c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd from 2021-09-29 10:18 UTC to 2021-09-29 10:33 UTC: 2 / 2 hits INFO:elastalert:Alert for c67fc22a-0be5-4b4f-aad5-2b32c4b69523 Symlink Etc Passwd at 2021-09-29T10:33:11.026Z: INFO:elastalert:Index: logs-indexme-2021.09.29 Event_Timestamp: 2021-09-29T10:33:11.026Z Beat_Name:
User_Name:
Host_Name:
Log_Name:
Original_Message: