X-Pack monitoring and plugins

#1

Hello,

I don’t see that there is monitoring of any kind in the screenshots of this and as x-pack monitoring is available for free, would this be an option to have in openDistro?

Also, how would we install 3rdparty plugins for this? Is the procedure the same as for Elastic?

#2

Hi Victor,

Yes Open Distro for Elasticsearch is built using the open source Elasticsearch and Kibana binaries so you can add your favorite plugins as you normally would. We do intend to add more functionality out of the box for monitoring and the like as well as working with existing solutions. While we have yet to test it, it should be interoperable with tools like Cerebro or ElasticHQ, that run outside of the cluster and interogate it over via the rest API. I hope that helps.

Thanks!

1 Like
#3

I executed , sudo filebeat setup but I got below error,

Exiting: 2 errors: Error checking if xpack is available: 500 Internal Server Error: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”}],“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”},“status”:500}; Error checking if xpack is available: 500 Internal Server Error: {“error”:{“root_cause”:[{“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”}],“type”:“security_exception”,“reason”:“Unexpected exception indices:admin/get”},“status”:500}

Is there anyway to fix this error? or is there anyway to disable x-pack plugin ?

I found below log in elasticsearch node,

odfe-node1 | [2019-03-23T17:47:45,354][ERROR][c.a.o.s.f.OpenDistroSecurityFilter] [gWC_IgA] Unexpected exception [_xpack] InvalidIndexNameException[Invalid index name [xpack], must not start with '’.]
odfe-node1 | org.elasticsearch.indices.InvalidIndexNameException: Invalid index name [xpack], must not start with '’.

#4

Hi,
i have a similar issue could some please assist us with getting this up and running
filebeat.yml has this set but its not helping
xpack.monitoring.enabled: false

Much appreciated if someone can assist.

Thanks,
KK

#5

Hi!!
I have the same issue… Please assist us for a great solution…

#6

@sharon92 and @grad you are likely using beats modules that are licensed under the Elastic X-Pack license, rather than Apache 2. Since beats cannot get an X-Pack license for these “features” when it checks Elasticsearch, it throws the error you are seeing. You will need to either disable use of these modules, or use the OSS versions of Beats.

Some of the modules Licensed under X-Pack include Netflow, Suricata and others. If you are interested in solutions for these kinds of data - MUCH better solutions actually - take a look at…

ElastiFlow - for Netflow, IPFIX and sFlow


(Elastic based the Logstash Netflow Module on ElastiFlow 1.0.0)

synesis_lite_syslog - Syslog Collection

synesis_lite_suricata - Suricata EVE JSON Logs

synesis_lite_snort - Snort fast alert Logs

ElastiFlow and the Syslog solutions have been updated for Elastic Stack 7.x, and the other two will be updated within the next couple of weeks. I am also working on a similar solution for Zeek (formerly Bro).

Once Open Distro moves to a 7.x base I will test to ensure everything works well with it. I have also been toying with the idea of combining at least the Zeek, Suricata and Snort efforts, along with perhaps an adapted version of ElastiFlow, together into a single threat hunting solution - and basing the whole thing on Open Distro.