packtpublishing / threat-hunting-with-elastic-stack Goto Github PK

I am a teacher from Spain. I have bought the book and it is awesome.

I want the students to set up the labs on the cloud, using virtual machines on AWS or Azure. Do you think it would be possible? Opinions?

Hello!

After adding the system module to filebeat, I had the following error:
Exiting: Failed to start crawler: creating module reloader failed: could not create module registry for filesets: module system is configured but has no enabled filesets

After checking the filebeats.yml, I saw that there was an option to reload the configs.

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

Changing reload.enabled from false to true solved the problem.
reload.enabled: true

Hello guys once again!

While trying to make curl requests to the initial Elasticsearch instance, I was getting the following error: curl: (52) Empty reply from server.

Elasticsearch was running as normal from systemctl status however the reply was empty.

Checking on stackoverflow, I saw the following post:
https://stackoverflow.com/questions/35921195/curl-52-empty-reply-from-server-timeout-when-querying-elastiscsearch

Which stated that we need to change xpack.security.enabled to false as it seems from Elastic 8.1, it's been a default setting.

#----------------------- BEGIN SECURITY AUTO CONFIGURATION -----------------------
#
# The following settings, TLS certificates, and keys have been automatically      
# generated to configure Elasticsearch security features on 13-08-2022 12:01:10
#
# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

So if we change xpack from true to false, we are now able to make curl requests without SSL.

xpack.security.enabled: false

However, in the post it states that xpack needs to be true when Kibana is used!

Thanks once again!

Hey there!

While I was checking the github file on the yml file, I followed the format as follows:

# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when this node is started:
# The default list of hosts is ["127.0.0.1", "[::1]"]
#
discovery.node: single-node
discovery.seed_hosts: ["0.0.0.0"]
#

However, initially I was getting errors and didn't understand why.

When I checked the PDF/book version the single-node parameter is incorrect in the github file.

The correct is discovery.type and note discovery.node..
discovery.type: single-node

Thanks for the amazing book so far!

Hello there!

While having resolved the previous issue, I still had problems starting the elastic instance.

When I checked the logs, I noticed that there was an automatic cluster starting.
Perhaps as a new default configuration, the initial cluster isn't commented by default.

When I commented, "cluster.initial_master_nodes", I was able to finally start my instance without an issue.

Since in the lab and book, we are creating a single node, it was causing conflicts with the option turned on.

# --------------------------------------------------------------------------------

# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
# Create a new cluster with the current node only
# Additional nodes can still join the cluster later
 cluster.initial_master_nodes: ["STATIC HOST NAME HERE IN THIS FIELD"]

# Allow HTTP API connections from anywhere
# Connections are encrypted and require user authentication
http.host: 0.0.0.0

# Allow other nodes to join the cluster from anywhere
# Connections are encrypted and mutually authenticated
#transport.host: 0.0.0.0

Doing the following, resolved the issue:
# cluster.initial_master_nodes: ["STATIC HOST NAME HERE IN THIS FIELD"]

Thanks once again!