我在docker上运行ELK遇到了一些问题。我在tls和http上使用ssl,并尝试使用简单的EQL-query:
sequence by winlog.computer_name
[iam where event.code == "4720"]
[iam where event.code == "4726"]
当我点击显示结果时,我看到结果的预览
但是当我试图复制alert时它在index
中的命中为0.siem-signals-default - *
我得到了一些警告从我的elasticsearch-container:
{"type";server";timestamp";2021-10-25T12:37:33,433Z";level";;WARN";component";o.e.x.s.t.n. securitynettty4httpservertransport& quot;;cluster.name";elastdocker-cluster";node.name";;elastdocker-node-0";在https通道上接收到明文http流量,关闭连接nettty4httpchannel {localAddress=/172.20.0.5:9200, remoteAddress=/172.20.0.2:43450}", "cluster.uuid";oZsivcyzROWSooXVIPzbKQ", "node.id";}
问题在哪里?什么好主意吗?
这有助于:
PUT /_cluster/settings
{
"persistent" : {
"xpack" : {
"monitoring" : {
"migration" : {
"decommission_alerts" : "true"
}
}
}
},
"transient" : { }
}