search

peasead / elastic-container

Stand up a simple Elastic container with Kibana, Fleet, and the Detection Engine
Apache License 2.0
395 stars 71 forks source link

[BUG] Detection Engine setup failed :-( #31

Closed p4yl0ad closed 1 year ago

p4yl0ad commented 1 year ago

Describe the bug For some reason the script is unable to setup the detection engine automatically.

To Reproduce

root@ELASTIC:/home/rubber/elastic-container# ./elastic-container.sh start
Passphrase has been reset. Proceeding.
Starting Elastic Stack network and containers.
WARN[0000] mount of type `volume` should not define `bind` option 
WARN[0000] mount of type `volume` should not define `bind` option 
[+] Running 6/0
[+] Running 8/8
 ✔ Network elastic-container_default           Created
 ✔ Volume "elastic-container_certs"            Created
 ✔ Volume "elastic-container_esdata01"         Created
 ✔ Volume "elastic-container_kibanadata"       Created
 ✔ Container ecp-elasticsearch-security-setup  Healthy
 ✔ Container ecp-elasticsearch                 Healthy
 ✔ Container ecp-kibana                        Healthy
 ✔ Container ecp-fleet-server                  Started

Attempting to enable the Detection Engine and install prebuilt Detection Rules.

Kibana is up. Proceeding.

Detection Engine setup failed :-(

Expected behavior Detection engine to be setup?

Desktop (please complete the following information):

root@ELASTIC:/home/rubber/elastic-container# lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 11 (bullseye)
Release:    11
Codename:   bullseye

Additional context Managed to shrug off the error when I first tried and manually setup what was needed however due to instability I needed to start a a fresh. Decided to report this as It may be helpful for others. 

root@ELASTIC:/home/rubber/elastic-container# cat .env 
# Local Kibana URL
LOCAL_KBN_URL=https://127.0.0.1:5601

# Local ES URL
LOCAL_ES_URL=https://127.0.0.1:9200

# Username for Kibana
ELASTIC_USERNAME=rubber

# Password for the 'elastic' user (at least 6 characters)
ELASTIC_PASSWORD=REDACTED

# Password for the 'kibana_system' user (at least 6 characters)
KIBANA_PASSWORD=REDACTED

# Version of Elastic products
STACK_VERSION=8.9.0

# Bulk Enable Detection Rules by OS
LinuxDR=0

WindowsDR=1

MacOSDR=0

# Set the cluster name
CLUSTER_NAME=elastic-container-project

# Set to "basic" or "trial" to automatically start the 30-day trial
LICENSE=basic
#LICENSE=trial

# Port to expose Elasticsearch HTTP API to the host
ES_PORT=9200
#ES_PORT=127.0.0.1:9200

# Port to expose Kibana to the host
KIBANA_PORT=5601

# Port to expose Fleet to the host
FLEET_PORT=8220

# Increase or decrease based on the available host memory (in bytes)
#MEM_LIMIT=1073741824
MEM_LIMIT=2500000000

The guide section "Enabling Elastic’s Prebuilt Detection Rules" didn't have the rules available shown in the screenshot: https://www.elastic.co/security-labs/the-elastic-container-project

peasead commented 1 year ago

Try leaving the username as elastic.

p4yl0ad commented 1 year ago

Legend, Much appreciated Andrew.

peasead commented 1 year ago

I'll update the documentation, too. This is an Elastic Stack requirement, not a requirement of our project.