While working with Kibana, we recently encountered a puzzling situation: queries involving the field event.original returned unexpected results. Let’s break down what happened, why it occurs, and how to identify other fields with similar behavior. The observed “strange behavior“ In fact, everything seems normal here: Now let’s assume you just want to see the documents…
Read MoreManaging a large fleet of Elastic Agents efficiently requires careful planning and proactive strategies to ensure stability, scalability, and security. As a technical consultant, I’d like to present some key considerations to help organizations avoid common pitfalls and streamline their operations. 1. Avoid Trust Issues One of the most critical aspects of managing an extensive…
Read MoreUpdating Elastic Agents is usually straightforward – unless you’re working in a secure, air-gapped environment where machines can’t access the internet (and thus, the Elastic Artifact Repository). And yet this was exactly the challenge we faced. We needed a way to keep the Elastic Agents across a fleet of systems up to date, without exposing…
Read MoreWhen designing an Elasticsearch architecture, choosing the right storage is crucial. While NFS might seem like a convenient and flexible option, it comes with several pitfalls when used for hosting live Elasticsearch data (hot, warm, cold, and frozen nodes). However, NFS proves to be an excellent choice for storing snapshots and searchable snapshots. Here’s why….
Read MoreElastic Agents are flexible and powerful tools used within the Elastic Stack for collecting and shipping logs, metrics, and other data to Elasticsearch. However, the headers they use can vary depending on whether they are running in “normal” mode or acting as a Fleet Server. Let’s explore these differences. Note that a fleet server is…
Read More
Note: This description of a security analyst’s daily routine is fictitious. However, the osquery examples have been tested and can therefore be used as a template for your own research. 1. Alarm Detection Today started with a high-severity alarm from our Elastic Security system. The alert indicated suspicious activity on host HOST-1234, suggesting potential malware execution. The…
Read MoreWhen deploying Elastic Agents, the method of installation can affect the configuration of the systemd service file. Specifically, .tgz deployments of Elastic Agents include the line EnvironmentFile=-/etc/sysconfig/elastic-agent in their systemd configuration (elastic-agent.service). However, Elastic Agents installed on NetEye nodes via RPM packages do not include this line in the EnvironmentFile by default. Adding the EnvironmentFile on NetEye Nodes To…
Read MoreIn the ever-evolving landscape of IT monitoring and management, the ability to efficiently handle multi-dimensional namespaces is crucial. Within NetEye, Log-SIEM (Elastic), provides a comprehensive solution for managing the single namespace dimension with the namespace of a data_stream. This blog post deals with multi-dimensional namespaces and how NetEye’s Log-SIEM solution simplifies their management. Understanding Multidimensional…
Read MoreIn high-demand environments, efficiency isn’t just an advantage – it’s essential. One of the biggest hurdles we encountered was the overwhelming strain placed on NetEye’s (Elastic) master nodes during the data enrichment process. As data volumes skyrocket, so do the complexity and the need for a smarter approach. Enter our game-changing solution: offloading data enrichment…
Read MoreHey everyone! We played around a bit last time with our radar data to build a model that we could train outside Elasticsearch, loading it through Eland and then applying it using an ingest pipeline. But since our data is in the form of vectors, could we actually exploit Elasticsearch vector database functionality and perform…
Read MoreWith the latest version of NetEye 4.33, the Fleet Server and ElasticAgent officially join the NetEye Elastic Stack (see NetEye 4.33 Release Notes ) Related to this new big feature, within the NetEye Extension Packs project we have provided new monitoring checks that can help customers and consultants who use NetEye to keep these new…
Read MoreSay you’re using the SIEM Module in NetEye and are deploying the Elasticsearch Agent to your clients. You’d surely like to know if those agents are still sending data and are still connected to the Elastic Fleet server. I had this problem recently and came up with a new monitoring plugin that uses the Kibana-API…
Read MoreIntroduction Let’s say… you have a product that has some Elasticsearch output, which deals with parsing and indexes, and also comes with a nice dashboard, etc., and let’s suppose… you would like to use this built-in functionality. And let’s say… the product in question wants to connect to Elasticsearch in an unauthenticated manner over HTTP….
Read MoreInfrastructure Scenario An image says more than 1000 words 😉 Basically, the log source continuously sends log messages encrypted via TLS to the NetEye server. TLS is handled by stunnel and then content is internally forwarded unencrypted to an Elastic Agent Integration “Custom TCP Logs” inside the NetEye server. Cause: Logs lost due to firewall…
Read MoreThe Fleet Management feature was automatically enabled with NetEye release 4.30, and with the current 4.31 version all the Elastic Stack packages will be upgraded to major version 8. These two milestones will permit us to centrally manage log ingestion using the new Elastic Agents (the evolutions of Beats Agents) and forget all the custom…
Read More