Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update from dev #121

Merged
merged 5 commits into from
Oct 18, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions elasticsearch.rst
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,33 @@ Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP

Once the config is added, click the green check mark to save the configuration.

Health
------

To check Elasticsearch health, go to the :ref:`grid` interface and check the Elasticsearch Status field. If it shows anything other than OK, then run the following command from the CLI on the manager node to check for additional clues:

::

sudo so-elasticsearch-query _cluster/health?pretty

Status Pending
--------------

If the :ref:`grid` interface shows Elasticsearch Status as ``Pending``, check for unassigned shards by running the following command from the CLI on the manager node:

::

sudo so-elasticsearch-query _cat/shards | grep UN

The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist.
To resolve the issue, run the following command for each affected index (replacing ``$index`` with the actual index name):

::

sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT

After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified.

Diagnostic Logging
------------------

Expand Down
6 changes: 6 additions & 0 deletions release-notes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,12 @@ Field conflicts can be identified by navigating to ``Kibana -> Management -> Dat

For example, you may have a conflict for ``source.ip``, where it was previously correctly mapped as field type of ``ip``, but the index mappings were inadvertently changed and ``source.ip`` is now mapped as a field type of ``keyword`` in the ``logs-system.security`` and ``logs-system.syslog`` data streams. The mappings have been fixed, but the data streams need to be rolled over to pick up the correct mappings, and the affected index containing ``source.ip`` mapped as a field type of ``keyword`` needs to be deleted to resolve the conflict.

Conflicts for the following fields can be ignored for now, as they will be fixed in a future version:

- metadata.input.beats.host.ip
- recordedfuture.evidence_details
- version

You can issue the following commands from the CLI to resolve the conflict.

First, become root:
Expand Down
5 changes: 5 additions & 0 deletions zeek.rst
Original file line number Diff line number Diff line change
Expand Up @@ -124,6 +124,11 @@ We also include MITRE BZAR scripts and you can read more about them at https://g

As you can see, Zeek log data can provide a wealth of information to the analyst, all easily accessible through :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`.

File Extraction
---------------

By default, Zeek will extract files from network traffic and :ref:`strelka` will then analyze those extracted files.

VLAN Tags
---------

Expand Down
Loading