diff --git a/elasticsearch.rst b/elasticsearch.rst index 8ceece1b..2a2b5ac2 100644 --- a/elasticsearch.rst +++ b/elasticsearch.rst @@ -259,6 +259,33 @@ Elasticsearch 8 no longer includes GeoIP databases by default. We include GeoIP Once the config is added, click the green check mark to save the configuration. +Health +------ + +To check Elasticsearch health, go to the :ref:`grid` interface and check the Elasticsearch Status field. If it shows anything other than OK, then run the following command from the CLI on the manager node to check for additional clues: + +:: + + sudo so-elasticsearch-query _cluster/health?pretty + +Status Pending +-------------- + +If the :ref:`grid` interface shows Elasticsearch Status as ``Pending``, check for unassigned shards by running the following command from the CLI on the manager node: + +:: + + sudo so-elasticsearch-query _cat/shards | grep UN + +The result of the query should display affected indices. Older metrics indices for Elastic Endpoint logs may have been assigned a replica, so if you are running a single-node Elastic cluster there will be nowhere for the replica to exist. +To resolve the issue, run the following command for each affected index (replacing ``$index`` with the actual index name): + +:: + + sudo so-elasticsearch-query $index/_settings -d '{"number_of_replicas":0}' -XPUT + +After running the command, the index should no longer use replicas and the status should change from "Pending" to "OK" once all indices have been successfully modified. + Diagnostic Logging ------------------ diff --git a/release-notes.rst b/release-notes.rst index 03d3ca65..0b9d2e06 100644 --- a/release-notes.rst +++ b/release-notes.rst @@ -12,6 +12,12 @@ Field conflicts can be identified by navigating to ``Kibana -> Management -> Dat For example, you may have a conflict for ``source.ip``, where it was previously correctly mapped as field type of ``ip``, but the index mappings were inadvertently changed and ``source.ip`` is now mapped as a field type of ``keyword`` in the ``logs-system.security`` and ``logs-system.syslog`` data streams. The mappings have been fixed, but the data streams need to be rolled over to pick up the correct mappings, and the affected index containing ``source.ip`` mapped as a field type of ``keyword`` needs to be deleted to resolve the conflict. +Conflicts for the following fields can be ignored for now, as they will be fixed in a future version: + +- metadata.input.beats.host.ip +- recordedfuture.evidence_details +- version + You can issue the following commands from the CLI to resolve the conflict. First, become root: diff --git a/zeek.rst b/zeek.rst index 0d2d1dbb..678a20fd 100644 --- a/zeek.rst +++ b/zeek.rst @@ -124,6 +124,11 @@ We also include MITRE BZAR scripts and you can read more about them at https://g As you can see, Zeek log data can provide a wealth of information to the analyst, all easily accessible through :ref:`dashboards`, :ref:`hunt`, or :ref:`kibana`. +File Extraction +--------------- + +By default, Zeek will extract files from network traffic and :ref:`strelka` will then analyze those extracted files. + VLAN Tags ---------