hello all,
Seems that open distro instructions are not updated or not correct. After following the instructions for setting up Suricata module I always get the same error :
Failed to connect to backoff(elasticsearch()): Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_license endpoint, Filebeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Filebeat so it can verify the license.: could not retrieve the license information from the cluster: 500 Internal Server Error: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”}],“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”},“status”:500}
I used the version that the /home/tutorial/suricataLogs suggests.
When i run filebeat setup I get this message. If i run filebeat -c filebeat.yml -e it seems that is running.
I have the same problem with Zeek also.
I think tutorial is insufficient .
If you use Open Distro for Elasticsearch, it by default install Elasticsearch OSS and to be abble to connnect to it using Filebeat, you must use OSS version of it.
You probably can try to configure Filebeat with appropriate certificates of the your Elasticsearch cluster like it is described in the documentation - Configure SSL.
You also can use ssl.verification_mode: none to check if it is related to your self-signed certificates.
As you can find in my first post which i posted my config the ssl.verification_mode: none is already there. Every time I make a setup of opendistro different things happened. Cannot explain this instability.