fortbridge
commented
1 month ago @Zarci are the pipelines working for you?
Open Zarci opened 1 month ago
fortbridge
commented
1 month ago @Zarci are the pipelines working for you?
Zarci
commented
1 month ago Yep! I have filebeat working.
Send me your errors.
adrian-rt
commented
1 month ago @Zarci
" in the "Index pattern" section of the rule definition, however no index matching: ["rtops-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "[T1100] Web Shell" id: "bb08cba0-4864-11ef-bf95-5f3c3e5f75df" rule id: "redelk-rule-T1100" signals index: ".siem-signals-default""} "
here's another error from ES:
"message": "received plaintext http traffic on an https channel
Zarci
commented
1 month ago @adrian-rt
Your first error looks like it's coming from the MITRE detection rules... make sure your configuration for your source log has the correct type:
cobalt strike example:
fields: infra: attack_scenario: {{ attack_scenario }} log: type: rtops
As for your second error: Are you using a docker elk stack?
adrian-rt
commented
1 month ago @Zarci using sliver, I've commented cobalt strike and others. The type seems ok.
Yes, using docker elk stack. This is the default from what I'm seeing, isn't it?
Zarci
commented
1 month ago @adrian-rt Yeah, it's the default...
I'm sorry, but this issue is strictly about helping get the existing redelk-ansible project working.
I think the issue you're facing is because of how you've customized your Redelk instance. Without the entire codebase, it's going to be difficult to trace your issue because all I have to compare against is what is open source.
adrian-rt
commented
1 month ago @Zarci
That's fine, no worries. I did a very minor change to the original RedELK, you can see it in the other ticket raised (ports related). Where are the indices created for ES in this project? I just don't see it and they're not created for me.
Here are a few of the things I had to change with this project to make it work with v2 Beta 6:
First, here are my values.yaml i'm running off of:
redelk_repo: "fastlorenzo" - it's (probably) possible to use the outflanking repo; I just used this because the docker containers that get cloned are also based on this, and Lorenzo's has the kibana app. redelk_version: "master" docker_container_version: "latest"
After the RedELK repo gets cloned
Change the contents of RedELK/config.cnf to include your IP/Domains
Then run the initial-setup.sh script to generate the certs
Then edit the docker-env.j2 file with the following change
# CERTS_LOGSTASH_INPUT_KEY=/usr/share/logstash/config/certificates/redelk-logstash/redelk-logstash.pkcs8.key\ # CERTS_LOGSTASH_INPUT_CRT=/usr/share/logstash/config/certificates/redelk-logstash/redelk-logstash.crt CERTS_LOGSTASH_INPUT_KEY=/usr/share/logstash/redelk-main/certs/elkserver.key CERTS_LOGSTASH_INPUT_CRT=/usr/share/logstash/redelk-main/certs/elkserver.crt
Lastly, in each of the beat.yml's change how the CA file is copied over to something like
src: "{{ redelk_repo_path }}/certs/redelkCA.crt" #"{{ redelk_cert_path }}/ca/ca.crt"
You may need to add a variable in values.yaml
Before: path: /etc/filebeat/conf.d/.yml after: path: /etc/filebeat/inputs.d/.yml
Note: there is probably something else I forgot and will add later, but this should get you a decent headstart
Feel free to comment any questions. I'll try my best to respond.