I have successfully integrated SearchGuard on Elasticsearch and Kibana however the integration between SearchGuard and Siren fail. There is n meaningful getting logged although I have enabled logging for search guard. Siren works start fine with login page. I enter the credentials but I get an ACL error… Any suggestions
ElasticSearch.yml
# ======================== Elasticsearch Configuration =========================
#
# NOTE: Elasticsearch comes with reasonable defaults for most settings.
# Before you set out to tweak and tune the configuration, make sure you
# understand what are you trying to accomplish and the consequences.
#
# The primary way of configuring a node is via this file. This template lists
# the most important settings you may want to configure for a production cluster.
#
# Please consult the documentation for further information on configuration options:
# https://www.elastic.co/guide/en/elasticsearch/reference/index.html
#
# ---------------------------------- Cluster -----------------------------------
#
# Use a descriptive name for your cluster:
#
# cluster.name: siren-distrubution
cluster.name: searchguard_demo
#
# ------------------------------------ Node ------------------------------------
#
# Use a descriptive name for the node:
#
#node.name: node-1
#
# Add custom attributes to the node:
#
#node.attr.rack: r1
#
# ----------------------------------- Paths ------------------------------------
#
# Path to directory where to store the data (separate multiple locations by comma):
#
path.data: /opt/elasticsearch/data
#
# Path to log files:
#
path.logs: /opt/elasticsearch/logs
#
# ----------------------------------- Memory -----------------------------------
#
# Lock the memory on startup:
#
#bootstrap.memory_lock: true
#
# Make sure that the heap size is set to about half the memory available
# on the system and that the owner of the process is allowed to use this
# limit.
#
# Elasticsearch performs poorly when the system is swapping the memory.
#
# ---------------------------------- Network -----------------------------------
#
# Set the bind address to a specific IP (IPv4 or IPv6):
#
network.host: “ubuntu”
#
# Set a custom port for HTTP:
#
http.port: 9200
#
# For more information, consult the network module documentation.
#
# --------------------------------- Discovery ----------------------------------
#
# Pass an initial list of hosts to perform discovery when new node is started:
# The default list of hosts is [“127.0.0.1”, “[::1]”]
#
#discovery.zen.ping.unicast.hosts: [“host1”, “host2”]
#
# Prevent the “split brain” by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):
#
#discovery.zen.minimum_master_nodes:
#
# For more information, consult the zen discovery module documentation.
#
# ---------------------------------- Gateway -----------------------------------
#
# Block initial recovery after a full cluster restart until N nodes are started:
#
#gateway.recover_after_nodes: 3
#
# For more information, consult the gateway module documentation.
#
# ---------------------------------- Various -----------------------------------
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
transport.tcp.port: 9330
indices.query.bool.max_clause_count: 15000
siren.connector.username: admin
siren.connector.password: admin
node.attr.connector.jdbc: true
xpack.security.enabled: false
######## Start Search Guard Demo Configuration ########
# WARNING: revise all the lines below before you go into production
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.truststore_filepath: /opt/elasticsearch/config/certs/truststore.jks
searchguard.ssl.transport.truststore_password: 18a8c617c1c9d908c6d1
searchguard.ssl.transport.keystore_filepath: /opt/elasticsearch/config/certs/node-certificates/CN=ubuntu-keystore.jks
searchguard.ssl.transport.keystore_password: 120539bc682a99d6810e
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: true
searchguard.ssl.http.keystore_filepath: /opt/elasticsearch/config/certs/node-certificates/CN=ubuntu-keystore.jks
searchguard.ssl.http.keystore_password: 120539bc682a99d6810e
searchguard.ssl.http.truststore_filepath: /opt/elasticsearch/config/certs/truststore.jks
searchguard.ssl.http.truststore_password: 18a8c617c1c9d908c6d1
searchguard.authcz.admin_dn:
- CN=sgadmin
searchguard.allow_unsafe_democertificates: true
searchguard.allow_default_init_sgindex: true
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.audit.type: internal_elasticsearch
searchguard.enable_snapshot_restore_privilege: true
searchguard.check_snapshot_restore_write_privileges: true
searchguard.restapi.roles_enabled: ["sg_all_access"]
cluster.routing.allocation.disk.threshold_enabled: false
Siren - Investigate.yml
# Kibana is served by a back end server. This setting specifies the port to use.
#server.port: 5601
# Specifies the address to which the Kibana server will bind. IP addresses and host names are both valid values.
# The default is 'localhost', which usually means remote machines will not be able to connect.
# To allow connections from remote users, set this parameter to a non-loopback address.
server.host: "ubuntu"
# Enables you to specify a path to mount Kibana at if you are running behind a proxy. This only affects
# the URLs generated by Kibana, your proxy is expected to remove the basePath value before forwarding requests
# to Kibana. This setting cannot end in a slash.
#server.basePath: ""
# The maximum payload size in bytes for incoming server requests.
server.maxPayloadBytes: 30048576
# The Kibana server's name. This is used for display purposes.
#server.name: "your-hostname"
# The URL of the Elasticsearch instance to use for all your queries.
elasticsearch.url: "https://ubuntu:9200"
# When this setting's value is true Kibana uses the hostname specified in the server.host
# setting. When the value of this setting is false, Kibana uses the hostname of the host
# that connects to this Kibana instance.
#elasticsearch.preserveHost: true
# Kibana uses an index in Elasticsearch to store saved searches, visualizations and
# dashboards. Kibana creates a new index if the index doesn't already exist.
#kibana.index: ".kibana"
# The default application to load.
kibana.defaultAppId: "dashboard"
# If your Elasticsearch is protected with basic authentication, these settings provide
# the username and password that the Kibana server uses to perform maintenance on the Kibana
# index at startup. Your Kibana users still need to authenticate with Elasticsearch, which
# is proxied through the Kibana server.
#elasticsearch.username: "user"
#elasticsearch.password: "pass"
elasticsearch.username: "admin"
elasticsearch.password: "admin"
# Enables SSL and paths to the PEM-format SSL certificate and SSL key files, respectively.
# These settings enable SSL for outgoing requests from the Kibana server to the browser.
#server.ssl.enabled: false
#server.ssl.certificate: /path/to/your/server.crt
#server.ssl.key: /path/to/your/server.key
server.ssl.enabled: true
server.ssl.certificate: /opt/siren/config/certs/siren.crt
server.ssl.key: /opt/siren/config/certs/siren.key
elasticsearch.ssl.certificateAuthorities: [ "/opt/siren/config/certs/root-ca.pem" ]
# Optional settings that provide the paths to the PEM-format SSL certificate and key files.
# These files validate that your Elasticsearch backend uses the same key files.
#elasticsearch.ssl.certificate: /path/to/your/client.crt
#elasticsearch.ssl.key: /path/to/your/client.key
# Optional setting that enables you to specify a path to the PEM file for the certificate
# authority for your Elasticsearch instance.
#elasticsearch.ssl.certificateAuthorities: [ "/path/to/your/CA.pem" ]
# To disregard the validity of SSL certificates, change this setting's value to 'none'.
#elasticsearch.ssl.verificationMode: none
# Time in milliseconds to wait for Elasticsearch to respond to pings. Defaults to the value of
# the elasticsearch.requestTimeout setting.
#elasticsearch.pingTimeout: 1500
# Time in milliseconds to wait for responses from the back end or Elasticsearch. This value
# must be a positive integer.
#elasticsearch.requestTimeout: 30000
# List of Kibana client-side headers to send to Elasticsearch. To send *no* client-side
# headers, set this value to [] (an empty list).
#elasticsearch.requestHeadersWhitelist: [ authorization ]
# Header names and values that are sent to Elasticsearch. Any custom headers cannot be overwritten
# by client-side headers, regardless of the elasticsearch.requestHeadersWhitelist configuration.
#elasticsearch.customHeaders: {}
# Time in milliseconds for Elasticsearch to wait for responses from shards. Set to 0 to disable.
#elasticsearch.shardTimeout: 0
# Time in milliseconds to wait for Elasticsearch at Kibana startup before retrying.
#elasticsearch.startupTimeout: 5000
# Specifies the path where Kibana creates the process ID file.
#pid.file: /var/run/kibana.pid
# Enables you specify a file where Kibana stores log output.
#logging.dest: stdout
logging.dest: /opt/siren/logs/log.txt
# Set the value of this setting to true to suppress all logging output.
#logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
logging.verbose: true
# Set the interval in milliseconds to sample system and process performance
# metrics. Minimum is 100ms. Defaults to 5000.
#ops.interval: 5000
# Kibi default configuration
investigate_core:
load_jdbc: false
datasource_encryption_algorithm: 'AES-GCM'
datasource_encryption_key: 'iSxvZRYisyUW33FreTBSyJJ34KpEquWznUPDvn+ka14='
datasource_cache_size: 501
elasticsearch:
auth_plugin: searchguard
# Gremlin server configuration
gremlin_server:
# change the scheme to https after enabling SSL for Gremlin
url: https://ubuntu:8061
path: gremlin_server/gremlin-server.jar
# log_conf_path: gremlin_server/gremlin-server-log.properties
ssl:
key_store: "/opt/siren/config/certs/CN=ubuntu-keystore.jks"
key_store_password: "120539bc682a99d6810e"
ca: "/opt/siren/config/certs/root-ca.pem"
investigate_access_control:
enabled: true
acl:
enabled: true
cookie:
secure: false
password: '12345678123456781234567812345678'
admin_role: investigate_admin
sirenalert:
elasticsearch:
username: admin
password: admin
backends:
searchguard:
admin.ssl.cert: /opt/siren/config/certs/CN=sgadmin.crtfull.pem
admin.ssl.key: /opt/siren/config/certs/CN=sgadmin.key.pem
admin.ssl.keyPassphrase: "0b469c7b805294f9a85c"
# Sentinl configuration
sentinl:
app_name: 'Siren Alert'