Elastic

Integrating Keeper SIEM push to Elastic

Overview

Keeper supports event streaming into Elastic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Elastic integration uses a TCP push to the destination endpoint. The fields required are:

  • Host (e.g. mycompany.gcp.cloud.us.io:9243)

  • Search Index (e.g. keeper)

  • API Key

Please refer to the Elastic documentation for generating an API key:

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.html

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Elastic server allows traffic from Keeper servers. See Firewall Configuration page.

Troubleshooting

If Keeper is unable to connect to your Elastic instance, please check the following:

  • In the host field, do not type http or https

  • Make sure to include the port

  • If you are using a "Space", add the space name to the end of the Host field after the port. For example: example-elastic01.us-east.found.io:9243/s/spacename

  • Make sure any firewall in front of Elastic is configured per this page

Last updated