Elasticsearch/Logstash/Kibana 7.6.1 #31
Comments
|
I'm currently running elk 7.6.0 - what issues are you facing with 7.6.1? |
|
I had some troubles importing the ndjson with saved objects on 7.6.0, but i just tried again on 7.6.1 and now it seems to work. I do have a dashboard now, with some errors though: Is elk-hole - vis_and_dash.ndjson the only file to import? |
in recent elk versions, yes. what do you need to do to raise this error? its been a while since I last digged really deep into elastic and its mechanic so forgive the lack of clarity |
|
Kibana -> Import saved objects -> vis_and_dash.ndjson seems to work just fine: But then while opening the DNS - pihole dashboard you get this error:
https://www.elastic.co/guide/en/elasticsearch/reference/current/fielddata.html |
|
At step 15 under KIBANA HOST (CAN BE THE SAME AS LOGSTASH AND ELASTICSEARCH) Mine doesn't show |
yes, thanks for that! thanks for your effort, I'll have a look into this but it can take a bit because of the current covid situation and so on. |
|
I have a bit of problems in ELK 7.6.1 as well. First of all, Kibana says that there are 94 index fields (and not 79). And one of them is not geoip.location so that dashboard fails. However, there are other geoip-fields, such as geoip.location.lat and geoip.location.lon. I have tried rebuilding and re-adding indexes but it doesn't help. Do you have an idea why? Searching the interwebs leads me to somewhat similar issues but nothing that really helps. This could partially be because I don't really know what I am doing :-) Any help is appreciated. Thanks /klaus |
|
I'm going to export my live dashboard and running template because I don't have these issues myself. Am currently away so please ping me here if I forget about it |
|
Hi, I have the same issue. I was having this issue with the pfSense too. What I saw is that the GeoIP data is coming from /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-geoip-6.0.3-java/vendor/ How can I point it to somewhere else ? |
|
@klausagnoletti As I thought a little bit more bout it I remembered I sometimes had the geoip.location field problem too. So now I just need to remember how I fixed that :> @klausagnoletti & @andrema2 I found that with the recent version there 83 fields here so the howto install part should be updated because the number of fields may vary depending on the used elk version. The discrepancy should not be a problem in general. Could you please paste your current index template:
|
|
I also am having this issue, with geoip.location missing, my output is |
|
@headbug interesting. did you refresh the index fields? if you filter for "geoip" what fields do you have?
|
|
please note: you MUST re-index after applying the index template (meaning the data in the current index will be lost). Otherwise the new index template will not applied |
|
How do I do that ? |
|
there are a couple of ways possible.
|
|
Hah, my kibana had migrating indexes conflict, so had to delete .kibana_1, now everything is gone. Will start over. |
|
After I delete everything looks fine. At the same time I upgraded to 7.7.0 |
So for you issue solved? |
|
Yes, it is |
|
Ok, I'm back. Still no geoip.location though.
On a side note, a comment about setting timezones in 20-dns-syslog.conf would have spared me a couple of hours of debugging :) Like so: |
logstash* isnt the correct index pattern name and therefore the geoip mapping in logstash #31 (comment)* is not included.
indeed. fun fact is I'm located in vienna so I need CET too 👍 |
|
|
To be clear, it's the index pattern not the template, but yes it's the correct one The index template gets applied to the index pattern |
|
I got it from the index template page. Isn't it the right place ? |
It is, don't worry. Just realised I wanted to correct you about template/pattern and saw I used the incorrect term a few posts above too. |
|
Same same, even with the right index pattern name
|
|
Did you reindex? |
|
No, I hadn't. And now: Thank you very much! |
|
@klausagnoletti your issue remains? |
|
Is there any way I can trace the originating machine on my local net, using elk-hole? I only have source_host set to my GW, for all traffic |
|
do you use your gateway as local dns resolver and your gateway is forwarding all requests to pihole? If so, there is no way of extracting the real source ip |
|
Yep, exactly so. Thanks |
|
So why don't you advertise the pihole address to your clients? |
|
I could, but the ease of having to manage only one entry is really nice. I have ca 20 devices/computers/servers to manage and setting dns manually is a chore. Also I want to be able to trace suspicious behavior if I let an unknown device on my network. I've so far seen traffic to china on addresses tied to malware which I suspect are coming from my wife's new laptop from work. |
|
To be honest this does not make sense to me. For your dhcp clients you can distribute the pihole address easily. I'm having more than 20 mashines here and it would be a matter of minutes to change the dns for all. For all servers/mashines with static IPs you only need to change that one time. |
|
Ok, that might be a gap in my home networking knowledge, but I have googled and looked in all settings I can think of, but for my life I cannot see how I would push my pi-hole IP as dns to all DHCP clients, they all have the GW-address as dns, and in the GW settings I have put in the pi-hole address. How would I go about to let the GW publish the pi-hole address to all connected DHCP clients? |
|
Depends on the actual Gateway if it's possible or not. Sometimes ISPs lock this setting for the sake of simplicity. What device do you use? |
|
I've put my own router, an Ubiquity Amplify after my isps modem and now
found a setting: "Bypass dns cache, use upstream dns". Is that the one?
…On Mon, May 18, 2020 at 1:31 PM 9S ***@***.***> wrote:
Depends on the actual Gateway if it's possible or not. Sometimes ISPs lock
this setting for the sake of simplicity. What device do you use?
Alternatively disable the dhcp at the gateway and use your own dhcp server
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#31 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AGGAS7P7VREEO77W7JDH2U3RSEMAXANCNFSM4LI7BE6A>
.
|
|
It is the one! Thanks! |
- added timezone setup as per #31 (comment) - added note to re-index and refresh index fields after setting everything up the first time
Many thanks for your work on this! I'm trying to fix the visualizations and dashboards for kibana 7.6.1.
Did you by any chance look into this already?
The text was updated successfully, but these errors were encountered: