Can't seem to get any data from pfSense into pfelk

[mlater1]

I did the manual install process and everything seemed to go smoothly but I can't seem to get any data from pfSense into pfelk and the dashboards are blank. I have an existing ELK stack so I made any necessary changes to the elasticsearch.yml and pipelines.yml files but did not overwrite them.

As a troubleshooting step I even added '*.* @127.0.0.1:5140' into my rsyslog conf but that didn't change anything.

I took a tcpdump on the pfelk host and the syslog logs are making it via udp 5140 but for some reason, they're not getting ingested into logstash. I've attached the error script output and I'm relatively new to ELK, so please excuse me if I've made a simple mistake. Any help is appreciated.

error.pfelk.log

[a3ilson]

@mlater1 - thanks for providing the error.pfelk.log file. It appears that there are a few issues:

First, the file structure should look like this:

etc/pfelk/
├── conf.d
│   ├── 01-inputs.conf
│   ├── 05-apps.conf
│   ├── 20-interfaces.conf
│   ├── 30-geoip.conf
│   ├── 35-rules-desc.conf
│   ├── 36-ports-desc.conf
│   ├── 37-enhanced_user_agent.conf
│   ├── 38-enhanced_url.conf
│   ├── 45-cleanup.conf
│   ├── 49-enhanced_private.conf
│   ├── 50-outputs.conf
├── config
│   ├── logstash.yml
│   └── pipelines.yml
├── databases
│   ├── private-hostnames.csv
│   ├── rule-names.csv
│   └── service-names-port-numbers.csv
├── kibana.yml
├── patterns
│   ├── openvpn.grok
│   └── pfelk.grok
└── scripts
    └── error-data.sh

Next, to troubleshoot, run the following:

systemctl status elasticsearch.service
systemctl status kibana.service
systemctl status logstash.service

Based on the provided error.pfelk.log, logstash stopped as a result of one of the files being placed in the incorrect location (File does not exist or cannot be opened /etc/pfelk/databases/service-names-port-numbers.csv).

Once you fix the issue above (incorrect file location), there may be others based on your current file structure below with notes:

/etc/pfelk/
/etc/pfelk/templates
/etc/pfelk/config
/etc/pfelk/patterns
/etc/pfelk/patterns/pfelk.grok
/etc/pfelk/conf.d
/etc/pfelk/conf.d/30-geoip.conf
/etc/pfelk/conf.d/36-ports-desc.conf.1 ###Remove########################
/etc/pfelk/conf.d/05-apps.conf
/etc/pfelk/conf.d/36-ports-desc.conf
/etc/pfelk/conf.d/01-inputs.conf
/etc/pfelk/conf.d/50-outputs.conf
/etc/pfelk/conf.d/35-rules-desc.conf.1 ###Remove########################
/etc/pfelk/conf.d/20-interfaces.conf
/etc/pfelk/conf.d/45-cleanup.conf
/etc/pfelk/conf.d/35-rules-desc.conf
/etc/pfelk/logs
/etc/pfelk/logs/error.pfelk.log
/etc/pfelk/databases
/etc/pfelk/databases/openvpn.grok
/etc/pfelk/databases/sudo ###Remove########################
/etc/pfelk/databases/sudo/raw.githubusercontent.com ###Remove########################
/etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk ###Remove########################
//etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk ###Remove########################
//etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk/main ###Remove########################
//etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk/main/etc ###Remove########################
//etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk ###Remove########################
//etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases ###Remove########################
/etc/pfelk/databases/sudo/raw.githubusercontent.com/pfelk/pfelk/main/etc/pfelk/databases/service-names-port-numbers.csv ###Remove########################
/etc/pfelk/databases/rule-names.csv
/etc/pfelk/databases/private-hostnames.csv
/etc/pfelk/databases/service-names-port-numbers.csv ###Needs to be added########################
/etc/pfelk/scripts
/etc/pfelk/scripts/error-data.sh
/etc/logstash/
/etc/logstash/logstash-sample.conf
/etc/logstash/startup.options
/etc/logstash/pfelk-template-installer.sh
/etc/logstash/log4j2.properties
/etc/logstash/jvm.options
/etc/logstash/logstash.yml.dpkg-dist
/etc/logstash/logstash.yml
/etc/logstash/conf.d
/etc/logstash/conf.d/01-inputs.conf ###Remove########################
/etc/logstash/pipelines.yml
/etc/logstash/pipelines.yml.bak

[mlater1]

Unfortunately, no change with switching to 127.0.0.1:9200. Logstash appears to be running fine if openvpn.grok is in the /databases dir. Once I move it to /patterns, that's when logstash starts to fail.

root@elk:/etc/pfelk/conf.d# systemctl status logstash.service
● logstash.service - logstash
     Loaded: loaded (/etc/systemd/system/logstash.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-12-28 12:51:23 MST; 2min 29s ago
   Main PID: 8549 (java)
      Tasks: 70 (limit: 19109)
     Memory: 912.3M
     CGroup: /system.slice/logstash.service
             └─8549 /usr/share/logstash/jdk/bin/java -Xms1g -Xmx1g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -Djava.awt.headl>

Dec 28 12:53:02 elk logstash[8549]: [2021-12-28T12:53:02,535][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:07 elk logstash[8549]: [2021-12-28T12:53:07,545][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:12 elk logstash[8549]: [2021-12-28T12:53:12,551][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:17 elk logstash[8549]: [2021-12-28T12:53:17,559][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:22 elk logstash[8549]: [2021-12-28T12:53:22,566][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:27 elk logstash[8549]: [2021-12-28T12:53:27,576][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:32 elk logstash[8549]: [2021-12-28T12:53:32,584][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:37 elk logstash[8549]: [2021-12-28T12:53:37,592][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:42 elk logstash[8549]: [2021-12-28T12:53:42,600][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >
Dec 28 12:53:47 elk logstash[8549]: [2021-12-28T12:53:47,608][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error >

root@elk:/etc/pfelk/conf.d# tail -25 /var/log/logstash/logstash-plain.log
[2021-12-28T12:53:32,584][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:53:37,592][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:53:42,600][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:53:47,608][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:53:52,617][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:53:57,623][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:02,632][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:07,638][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:12,645][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:17,652][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:22,658][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:27,666][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:32,674][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:37,682][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:42,688][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:47,695][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:52,703][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:54:57,710][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:02,717][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:07,723][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:12,730][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:17,736][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:22,743][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:27,749][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}
[2021-12-28T12:55:32,756][WARN ][logstash.outputs.elasticsearch][pfelk] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://127.0.0.1:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://127.0.0.1:9200/][Manticore::ClientProtocolException] 127.0.0.1:9200 failed to respond"}

[a3ilson]

Well...
The output of hosts => ["127.0.0.1:9200"] or hosts => ["localhost:9200"] should work. Logstash appears to be working fine...let's check elasticsearch.

Try the following:

• systemctl status elasticsearch.service
• curl 127.0.0.1:9200
• curl 127.0.0.1:9200/_cat/health

[mlater1]

If I'm not using openvpn in pfsense, is openvpn.grok necessary to keep around?

Here's the new output:

root@elk:~# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-12-28 12:42:21 MST; 25min ago
       Docs: https://www.elastic.co
   Main PID: 1018 (java)
      Tasks: 151 (limit: 19109)
     Memory: 9.7G
     CGroup: /system.slice/elasticsearch.service
             ├─1018 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava.>
             └─1546 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Dec 28 12:41:48 elk systemd[1]: Starting Elasticsearch...
Dec 28 12:42:21 elk systemd[1]: Started Elasticsearch.

root@elk:~# curl 127.0.0.1:9200
curl: (52) Empty reply from server
root@elk:~# curl 127.0.0.1:9200/_cat/health
curl: (52) Empty reply from server

[a3ilson]

very odd...try restarting elasticsearch (systemctl restart elasticsearch.service)

openvpn.grok is an in-work endeavor to parse openVPN logs and not specific to OPNsense. It is referenced by 05-apps.conf and removing will cause logstash to stop unless you remove the linked reference within 05-apps.conf.

[a3ilson]

Additionally, check the status of ufw (ufw status and ufw status verbose)

[mlater1]

I might try removing that reference in 05-apps.conf later then since I have no need for openvpn logging.

root@elk:~# systemctl status elasticsearch.service
● elasticsearch.service - Elasticsearch
     Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2021-12-28 13:17:04 MST; 1min 37s ago
       Docs: https://www.elastic.co
   Main PID: 24879 (java)
      Tasks: 152 (limit: 19109)
     Memory: 8.9G
     CGroup: /system.slice/elasticsearch.service
             ├─24879 /usr/share/elasticsearch/jdk/bin/java -Xshare:auto -Des.networkaddress.cache.ttl=60 -Des.networkaddress.cache.negative.ttl=10 -XX:+AlwaysPreTouch -Xss1m -Djava>
             └─25118 /usr/share/elasticsearch/modules/x-pack-ml/platform/linux-x86_64/bin/controller

Dec 28 13:16:41 elk systemd[1]: Starting Elasticsearch...
Dec 28 13:17:04 elk systemd[1]: Started Elasticsearch.

root@elk:~# ufw status
Status: active

To                         Action      From
--                         ------      ----
22                         ALLOW       Anywhere
5601                       ALLOW       Anywhere
9200                       ALLOW       Anywhere
5140                       ALLOW       Anywhere
8220                       ALLOW       Anywhere
22 (v6)                    ALLOW       Anywhere (v6)
5601 (v6)                  ALLOW       Anywhere (v6)
9200 (v6)                  ALLOW       Anywhere (v6)
5140 (v6)                  ALLOW       Anywhere (v6)
8220 (v6)                  ALLOW       Anywhere (v6)

root@elk:~# ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
5601                       ALLOW IN    Anywhere
9200                       ALLOW IN    Anywhere
5140                       ALLOW IN    Anywhere
8220                       ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)
5601 (v6)                  ALLOW IN    Anywhere (v6)
9200 (v6)                  ALLOW IN    Anywhere (v6)
5140 (v6)                  ALLOW IN    Anywhere (v6)
8220 (v6)                  ALLOW IN    Anywhere (v6)

Even with ufw disabled, I get the same results.

[mlater1]

I do have X-Pack enabled and am running with CA-signed certs. Would that be the issue, then?

[a3ilson]

That could be the issue but based on your previously provided logs and the fact you've confirmed logs via tcpdump...

How are you running CA certs? Are you pushing the logs via TCP (provided logs don't indicate that...plus CA certs would require X-Pack too). Can you elaborate?
Never mind misread your response (you are running X-Pact with CA-signed certs).

you'll need to either disable or configure your Elastic stack properly with the CA certs

reference:https://www.elastic.co/guide/en/elasticsearch/reference/current/update-node-certs-different.html

[mlater1]

This is the guide I followed when initially setting it up: https://www.elastic.co/guide/en/elasticsearch/reference/7.15/security-basic-setup-https.html. It's definitely possible that I made a mistake along the way, though. I'll use the reference you gave and see if I can find what I may have missed. Thanks!

[a3ilson]

That guide focuses on Elastic, Kibana and Beats... I would recommend configuring without x-pack (security) and confirm that everything is working. Then, start dabbling with the x-pact and security settings.

[mlater1]

Will do. Luckily, since I'm running ELK in a VM, trial and error is an easy process with snapshots. Thanks for the pointer! I'll report back once I've got security disabled and tested pfelk again.