Import Elasticsearch data into Security (ElasticDump) #11450
Replies: 1 comment
-
|
Found out what the problem was with the image below. I was referencing the wrong file when using the --type=data. Once I referenced the correct file "es_dump_winlogbeat_II.json" (which is the index data file), everything worked properly.
|
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
:Greetings Security Onion Professionals!
Security Onion 2.4
Testing Import-Node
Testing Standalone Node
I'm trying to figure out how to properly import Elasticsearch data from a remote stack into Security Onion via port 9200.
I have successfully dumped mappings and data using the Elasticdump tool from the remote stack but cannot hit Elasticsearch API through the Security Onion firewall. I have followed the Jupyter Notebook section in the documentation on how to open port 9200 but after I amend the configuration via the Administration tab and wait I'm still unable to hit port 9200.
Any suggestions?
https://docs.securityonion.net/en/2.4/jupyter.html?highlight=jupyter#jupyter-notebook
Update: Oct 1, 2023 19:30
Ok, I was finally able to connect to port 9200. It was a networking issue on my end. I ended up adding some more IPs to my firewall config so that routes would work. Virtual lab stuff...
The problem I'm facing now is getting the data to properly index. I spent a little time reading the ElasticDump documentation and discussions but I am unable to find a solution to the problem below. Does anyone have experience importing data into Security Onion using ElasticDump or perhaps some other tool?
Update: Oct 1, 2023 21:11
I was finally able to get exported data from the remote stack imported into Security Onion.
Steps:
Dump stack data using ElasticDump using the --type=data flag.
Open Security Onion firewall port 9200 under the firewall configuration portion located in the SOC > Administration tab.
Create a user in Kibana under the Stack Management > Users area with sufficient privileges to write to index. (Make sure to close firewall and delete the user if no longer needed to perform task).
Import data.json into Security Onion elasticsearch using the ElasticDump tool.
Beta Was this translation helpful? Give feedback.
All reactions