Reputation: 13
Elasticsearch SIEM is not working, but EQL query is ok
I got some problems with my ELK running on docker. I made ssl on tls and http and tryied to make simple EQL-query:
sequence by winlog.computer_name
[iam where event.code == "4720"]
[iam where event.code == "4726"]
When i click on show results i see hits preview of results
but when i'm trying to reproduce alert it's zero hits in index
.siem-signals-default-*
I got some warns from my elasticsearch-container:
{"type": "server", "timestamp": "2021-10-25T12:37:33,433Z", "level": "WARN", "component": "o.e.x.s.t.n.SecurityNetty4HttpServerTransport", "cluster.name": "elastdocker-cluster", "node.name": "elastdocker-node-0", "message": "received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/172.20.0.5:9200, remoteAddress=/172.20.0.2:43450}", "cluster.uuid": "oZsivcyzROWSooXVIPzbKQ", "node.id": "KIjWJ0OjSW-lYt51cO8ViQ" }
Where is the problem? Any ideas?
Upvotes: 0
Views: 303
Answers (1)
Reputation: 13
This helps:
PUT /_cluster/settings
{
"persistent" : {
"xpack" : {
"monitoring" : {
"migration" : {
"decommission_alerts" : "true"
}
}
}
},
"transient" : { }
}
Upvotes: 0
Related Questions
- Elastic search AccessDeniedException[/usr/share/elasticsearch/data/nodes/0] -- Access denied error
- Elasticsearch cluster not working in swarm (stack) , but works with compose
- Elastic Search got 404 when requesting `entries`
- No matches when querying Elastic Search
- ElasticSearch java.io.IOException: failed to read ... in docker
- Elastic Search with Docker compose
- Elastic search error - [prefix] query does not support [prefix]
- Running Elasticsearch with Docker
- Not able to access elasticsearch from docker container
- ElasticSearch container won't start up in Docker