search

jasonish / evebox

Web Based Event Viewer (GUI) for Suricata EVE Events in Elastic Search
https://evebox.org/
MIT License
418 stars 67 forks source link

Connect to a secured Elastic node #165

Closed ngms17 closed 3 years ago

ngms17 commented 3 years ago

Hi.

Evebox is the showing the following error:

2021-04-07 11:36:44 ERROR evebox::server::main: Failed to get Elasticsearch version, things may not work right: error=missing authentication credentials for REST request [/]

Maybe because I have a secured ELK stack. My Suricata and ELK are running on different machines. Evebox is installed on the ELK machine. How can I configure Evebox to consume the filebeat index that I have on Elastic?

Thanks

jasonish commented 3 years ago

You'll have to create a configuration parameter to provide a username and password.. A minimal configuration file might look like:

database:
  elasticsearch:
    username: my-username
    password: my-password
ngms17 commented 3 years ago

I have filebeat sending suricata logs to the ELK machine that has evebox installed. My config file is this.

# EveBox Server configuration file.

# Path to the data directory. This directory holds data for EveBox
# such as the configuration/user/authentication database, and SQLite
# database files if the sqlite database is being used. It needs to be
# writable by the user EveBox is running as. If not set it will
# default to the current directory.
#data-directory: /var/lib/evebox

# Database configuration.
database:

  # Database type: elasticsearch, sqlite.
  type: elasticsearch

  elasticsearch:
    url: http://elasticip:9200
    # production-style index
    index: filebeat
    # demo-style index
    # index: test-suricata
    disable-certificate-check: true

    # The keyword to use for terms query. EveBox will do its best to
    # figure this out on its own, but if you need to override it, you
    # can do so here. The usual values are:
    #    raw     -> Logstash / Elastic Search < 5.
    #    keyword -> Logstash / Elastic Search >= 5.
    #    ""      -> Filebeat / Elastic Search >= 5.
    # Note that a quoted empty string is required to force an empty string.
    #keyword: ""

    username: itsnottherealusername
    password: itsnottherealpassword

    # For loading the EveBox template (Logstash compatible) into
    # Elasticsearch. It is recommended to turn this option on if only
    # using EveBox to add events to Elasticsearch. Leave disabled if
    # already using Logstash or Filebeat on the same index.
    #
    # Default: false
    #force-template: false

But I keep getting this error

Apr 09 10:04:31 suricata-elk01 systemd[1]: Started EveBox Server.
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31  INFO evebox::version: This is EveBox version 0.13.0 (rev: f33d6b5); x86_64-unknown-linux-musl
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31  INFO evebox::server::main: Using temporary in-memory configuration database
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31  INFO evebox::sqlite::init: Initializing SQLite database (configdb)
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31  INFO evebox::sqlite::init: Updating SQLite database to schema version 1 (configdb)
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31 ERROR evebox::server::main: Failed to get Elasticsearch version, things may not work right: error=request: err>
Apr 09 10:04:31 suricata-elk01 evebox[358911]: 2021-04-09 10:04:31  INFO evebox::server::main: Starting server on 127.0.0.1:5636, tls=false
jasonish commented 3 years ago

Can you authenticate to Elasticsearch with curl? For example:

curl -u username:password --basic http://elasticip:9200
ngms17 commented 3 years ago

Yes i can. What is supposed to do with the "example" config files?

jasonish commented 3 years ago

The way curl authenticates to Elasticsearch is very similar to how EveBox would. Presumable if you can connect to Elasticsearch using curl -u, then providing that same login information to EveBox should also login.

It looks like you are running EveBox from systemd, did you update the configuration to read the configuration file?

ngms17 commented 3 years ago

Maybe that´s the problem. Because evebox is always listening on a different address.

How can I do that?

jasonish commented 3 years ago

I'm not sure how EveBox would always be listening on a different address. It binds to localhost by default, but the --host option can change this.

Anyways, if using the Debian packages you can edit /etc/default/evebox to set command line options such as the configuration file. For the RPMs the file is /etc/sysconfig/evebox.

jasonish commented 3 years ago

Closing as I think all these issues are resolved. Please open a more specific issue if still having problems. Thanks!

nimaforoughi commented 2 years ago

I am running a security onion 2.3.91 vm and it is a secured one on dockers. How can I integrate or add the evebox to the existing elasticsearch?