search

Elastic

Integrating Keeper SIEM push to Elastic

hashtag
Overview

Keeper supports event streaming into Elastic deployments. External logging is real-time, and new events will appear almost immediately. Setup instructions are below.

Elastic Integration Settings

Elastic integration uses a TCP push to the destination endpoint. The fields required are:

  • Host (e.g. mycompany.gcp.cloud.us.io:9243)

  • Search Index (e.g. keeper)

  • API Key

Please refer to the Elastic documentation for generating an API key:

https://www.elastic.co/guide/en/elasticsearch/reference/current/security-api-get-api-key.htmlarrow-up-right

circle-info

Important: Ensure that the endpoint is using a valid signed SSL certificate that has a domain matching the subject name in the certificate. The certificate must also include the full certificate chain from your CA. Keeper's systems will refuse to connect to a self-signed certificate. Also, ensure that your Elastic server allows traffic from Keeper servers. See Firewall Configurationarrow-up-right page.

hashtag
Troubleshooting

If Keeper is unable to connect to your Elastic instance, please check the following:

  • In the host field, do not type http or https

  • Make sure to include the port

  • If you are using a "Space", add the space name to the end of the Host field after the port. For example: example-elastic01.us-east.found.io:9243/s/spacename

  • Make sure any firewall in front of Elastic is configured per this pagearrow-up-right

PreviousDevoNextExabeam (LogRhythm)

Last updated

Was this helpful?