Issue with filebeat setup redirecting to security onion login page

[soad20000]

Hello,

I am running Security Onion 2.3 Standalone version. I am trying to setup filebeat on a remote linux host so that it sends syslog data to Elasticsearch so that I can then visualize it in Kibana. I am using this tutorial for reference https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-installation-configuration.html

I am able to connect the filebeat client to the ES instance through an API key which I've specified in the filebeat.yml file on the remote host. I've also enabled the Kibana and Elasticsearch modules in filebeat. I've verified the connection from the remote host to the SO server with netcat. No issues there.

The problem is that when I run the filebeat setup and it tries to load the pre-configured Kibana dashboards, I get the follow error.

Exiting: error connecting to Kibana: fail to get the Kibana version: fail to parse kibana version (): passed version is not semver:

So I used curl from the remote host to see why it couldn't reach the endpoint at https://10.xx.xx.xx/kibana/api/status and it's because it's being redirected to the security onion login page and the filebeat setup script doesn't know how to handle that.

I've tried hardcoding the same credentials I use to login to SO into the filebeat.yml file (I know it's a horrible idea, I just wanted to see if I could get it working and right now we're in the POC phase with SO). I've tried different filebeat versions, the one I am currently using is the one you get from the Downloads page on the local SO instance.

curl -k -v https://10.xx.xx.xx/kibana/api/status
* About to connect() to 10.xx.xx.xx port 443 (#0)
*   Trying 10.xx.xx.xx...
* Connected to 10.xx.xx.xx (10.xx.xx.xx) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: ST=Utah,L=Salt Lake City,CN=<SOHostname>,C=US
*       start date: Jul 13 20:04:04 2023 GMT
*       expire date: Oct 10 20:04:04 2025 GMT
*       common name: <SOHostname>
*       issuer: ST=Utah,L=Salt Lake City,CN=<SOHostname>,C=US
> GET /kibana/api/status HTTP/1.1
> User-Agent: curl/7.29.0
> Host: 10.xx.xx.xx
> Accept: */*
>
< HTTP/1.1 302 Moved Temporarily
< Server: nginx
< Date: Thu, 14 Sep 2023 20:14:10 GMT
< Content-Type: text/html
< Content-Length: 138
< Location: https://10.xx.xx.xx/auth/self-service/login/browser
< Connection: keep-alive
< Set-Cookie: AUTH_REDIRECT=/kibana/api/status;Path=/;Max-Age=14400
<
<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx</center>
</body>
</html>
* Connection #0 to host 10.xx.xx.xx left intact

On my local machine I am able to access the endpoint because it's the same machine I login to SO with and the browser cookies let me bypass that login page. I've verified this behavior using curl on the remote host to pass those same cookies to the endpoint and I am able to get the JSON structure which is supposed to be parsed with the filebeat setup command.

Could anyone suggest a workaround for this? I'm just trying to get syslogs from the remote host onto ES, I was able to do it with rsyslog but ES was having trouble parsing the data so that's why I looked into Filebeat. I suspect that I'm going about this completely the wrong way since I couldn't find anyone else having the same issue, so if anyone has suggestions on how to properly ingest syslog data into Kibana/ES then I'm all ears, or eyes in this case.

My filebeat version: filebeat version 8.7.1 (amd64), libbeat 8.7.1 [bda40535cf0743b97017512e6af6d661eeef956e built 2023-04-23 04:29:02 +0000 UTC]

Here is my filebeat.yml file on the remote host:

###################### Filebeat Configuration Example #########################

# This file is an example configuration file highlighting only the most common
# options. The filebeat.reference.yml file from the same directory contains all the
# supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/filebeat/index.html

# For more available modules and options, please see the filebeat.reference.yml sample
# configuration file.

# ============================== Filebeat inputs ===============================

filebeat.inputs:

# Each - is an input. Most options can be set at the input level, so
# you can use different inputs for various configurations.
# Below are the input specific configurations.

# filestream is an input for collecting log messages from files.
- type: filestream

  # Unique ID among all inputs, an ID is required.
  id: my-filestream-id

  # Change to true to enable this input configuration.
  enabled: false

  # Paths that should be crawled and fetched. Glob based paths.
  paths:
    - /var/log/*.log
    #- c:\programdata\elasticsearch\logs\*

  # Exclude lines. A list of regular expressions to match. It drops the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #exclude_lines: ['^DBG']

  # Include lines. A list of regular expressions to match. It exports the lines that are
  # matching any regular expression from the list.
  # Line filtering happens after the parsers pipeline. If you would like to filter lines
  # before parsers, use include_message parser.
  #include_lines: ['^ERR', '^WARN']

  # Exclude files. A list of regular expressions to match. Filebeat drops the files that
  # are matching any regular expression from the list. By default, no files are dropped.
  #prospector.scanner.exclude_files: ['.gz$']

  # Optional additional fields. These fields can be freely picked
  # to add additional information to the crawled log files for filtering
  #fields:
  #  level: debug
  #  review: 1

# ============================== Filebeat modules ==============================

filebeat.config.modules:
  # Glob pattern for configuration loading
  path: ${path.config}/modules.d/*.yml

  # Set to true to enable config reloading
  reload.enabled: false

  # Period on which files under path should be checked for changes
  #reload.period: 10s

# ======================= Elasticsearch template setting =======================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false


# ================================== General ===================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "https://10.xx.xx.xx:443/kibana"
  ssl.verification_mode: none
  #api_key: "<redacted>"
  #username: ""
  #password: ""

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

# =============================== Elastic Cloud ================================

# These settings simplify using Filebeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

# ================================== Outputs ===================================

# Configure what output to use when sending the data collected by the beat.

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://10.xx.xx.xx:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  api_key: "<redacted>"
  #username: ""
  #password: ""
  ssl.verification_mode: none

# ------------------------------ Logstash Output -------------------------------
#output.logstash:
  # The Logstash hosts
  #hosts: ["localhost:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

# ================================= Processors =================================
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

# ================================== Logging ===================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publisher", "service".
#logging.selectors: ["*"]

# ============================= X-Pack Monitoring ==============================
# Filebeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

# ============================== Instrumentation ===============================

# Instrumentation support for the filebeat.
#instrumentation:
    # Set to true to enable instrumentation of filebeat.
    #enabled: false

    # Environment in which filebeat is running on (eg: staging, production, etc.)
    #environment: ""

    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200

    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:

    # Secret token for the APM Server(s).
    #secret_token:


# ================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

[dougburks]

We typically recommend avoiding the beat dashboard upload. For example, from https://docs.securityonion.net/en/2.3/beats.html?#winlogbeat:

Make sure that the setup.dashboards.enabled setting is commented out or disabled.

Also keep in mind that Security Onion 2.4 is now available and you'll want to start thinking about migration. 2.4 moves from Beats to Elastic Agent:
https://docs.securityonion.net/en/2.4/elastic-agent.html

[soad20000]

Thanks for the response. Yes I tried disabling the entire dashboard loading section and even the kibana section in filebeat.yml (both individually and together), however it still tries communicating with the Kibana API. It still fails though because the host defaults to http://localhost:5601/api/status which is expected since Kibana isn't running on the remote host.

Here's the .yml file with the changes I made.

# ================================= Dashboards =================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false
#setup.dashboards.always_kibana: true

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:
#setup.dashboards.directory: /usr/share/filebeat/kibana/8/dashboard

# =================================== Kibana ===================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
#setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "https://10.xx.xx.xx:443/kibana"
  #ssl.verification_mode: none
  #api_key: "<redacted>"
  #username: ""
  #password: ""

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

And the error it shows

Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": dial tcp 127.0.0.1:5601: connect: connection refused (status=0). Response:

Yeah we wanted to try out 2.4 however we kept running into an error on installation which we weren't able to solve either. That merits its own separate discussion however. Once we switch over to prod though our objective is to use 2.4. We were hoping that we could upgrade from 2.3 to 2.4 but there's no ETA for that feature yet.

[dougburks]

The most effective use of time would be to go ahead and start a separate discussion to figure out your 2.4 installation problem and then get Elastic Agent working.