WORKING: v2.0 beta 6 #2
Comments
|
@Zarci are the pipelines working for you? |
|
Yep! I have filebeat working. Send me your errors. |
|
" in the "Index pattern" section of the rule definition, however no index matching: ["rtops-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. name: "[T1100] Web Shell" id: "bb08cba0-4864-11ef-bf95-5f3c3e5f75df" rule id: "redelk-rule-T1100" signals index: ".siem-signals-default""} here's another error from ES: "message": "received plaintext http traffic on an https channel |
|
Your first error looks like it's coming from the MITRE detection rules... make sure your configuration for your source log has the correct type: cobalt strike example: fields: As for your second error: Are you using a docker elk stack? |
|
@Zarci using sliver, I've commented cobalt strike and others. The type seems ok. Yes, using docker elk stack. This is the default from what I'm seeing, isn't it? |
|
@adrian-rt I'm sorry, but this issue is strictly about helping get the existing redelk-ansible project working. I think the issue you're facing is because of how you've customized your Redelk instance. Without the entire codebase, it's going to be difficult to trace your issue because all I have to compare against is what is open source. |
|
That's fine, no worries. I did a very minor change to the original RedELK, you can see it in the other ticket raised (ports related). Where are the indices created for ES in this project? I just don't see it and they're not created for me. |
Here are a few of the things I had to change with this project to make it work with v2 Beta 6:
First, here are my values.yaml i'm running off of:
redelk_repo: "fastlorenzo" - it's (probably) possible to use the outflanking repo; I just used this because the docker containers that get cloned are also based on this, and Lorenzo's has the kibana app.
redelk_version: "master"
docker_container_version: "latest"
After the RedELK repo gets cloned
Change the contents of RedELK/config.cnf to include your IP/Domains
Then run the initial-setup.sh script to generate the certs
Then edit the docker-env.j2 file with the following change
# CERTS_LOGSTASH_INPUT_KEY=/usr/share/logstash/config/certificates/redelk-logstash/redelk-logstash.pkcs8.key
# CERTS_LOGSTASH_INPUT_CRT=/usr/share/logstash/config/certificates/redelk-logstash/redelk-logstash.crt
CERTS_LOGSTASH_INPUT_KEY=/usr/share/logstash/redelk-main/certs/elkserver.key
CERTS_LOGSTASH_INPUT_CRT=/usr/share/logstash/redelk-main/certs/elkserver.crt
Lastly, in each of the beat.yml's change how the CA file is copied over to something like
src: "{{ redelk_repo_path }}/certs/redelkCA.crt" #"{{ redelk_cert_path }}/ca/ca.crt"
You may need to add a variable in values.yaml
Before:
path: /etc/filebeat/conf.d/.yml
after:
path: /etc/filebeat/inputs.d/.yml
Note: there is probably something else I forgot and will add later, but this should get you a decent headstart
Feel free to comment any questions. I'll try my best to respond.
The text was updated successfully, but these errors were encountered: