Elastic
Integrating Keeper SIEM push to Elastic
Overview
Keeper supports event streaming into Elastic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.
Elastic integration uses a TCP push to the destination endpoint. The fields required are:
Host (e.g. mycompany.gcp.cloud.us.io:9243)
Search Index (e.g. keeper)
API Key
Please refer to the Elastic documentation for generating an API key:
https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html
Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Elastic server allows traffic from Keeper servers. See Firewall Configuration page.
Troubleshooting
If Keeper is unable to connect to your Elastic instance, please check the following:
In the host field, do not type http or https
Make sure to include the port
If you are using a "Space", add the space name to the end of the Host field after the port. For example:
example-elastic01.us-east.found.io:9243/s/spacename
Make sure any firewall in front of Elastic is configured per this page
Last updated