If you think it is a bug report or you have a technical issue, please answer the following questions. For general questions, you can delete these questions.
Elasticsearch version:
7.17.9
Kibana version (if relevant):
7.17.9
Search Guard version (if relevant):
FLEX 1.1.1-es-7.17.9
I recently upgraded my Elasticsearch server from Search Guard from 7.17.9-53.6.0 to Search Guard FLEX 1.1.1-es-7.17.9. Everything seems to be working fine, but i am seeing some new errors in my elasticsearch logs:
2023-05-25 21:21:33.686Z WARN [elasticsearch[esnode-aln-nbadev4][transport_worker][T#19]] com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor - Authentication failed for null from [request=/.kibana_7.17.9/_search, directIpAddress=172.20.173.95, originatingIpAddress=172.20.173.95, clientCertSubject=null]
2023-05-25 21:21:35.101Z INFO [elasticsearch[esnode-aln-nbadev4][masterService#updateTask][T#1]] org.elasticsearch.xpack.ilm.action.TransportPutLifecycleAction - updating index lifecycle policy [.alerts-ilm-policy]
2023-05-25 21:21:35.205Z WARN [elasticsearch[esnode-aln-nbadev4][transport_worker][T#57]] com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor - Authentication failed for null from [request=/.kibana_7.17.9/_search, directIpAddress=172.17.0.1, originatingIpAddress=172.17.0.1, clientCertSubject=null]
2023-05-25 21:21:35.207Z WARN [elasticsearch[esnode-aln-nbadev4][transport_worker][T#58]] com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor - Authentication failed for null from [request=/.kibana_7.17.9/_search, directIpAddress=172.17.0.1, originatingIpAddress=172.17.0.1, clientCertSubject=null]
2023-05-25 21:26:35.174Z WARN [elasticsearch[esnode-aln-nbadev4][transport_worker][T#58]] com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor - Authentication failed for null from [request=/.kibana_7.17.9/_search, directIpAddress=172.17.0.1, originatingIpAddress=172.17.0.1, clientCertSubject=null]
2023-05-25 21:31:36.719Z WARN [elasticsearch[esnode-aln-nbadev4][transport_worker][T#19]] com.floragunn.searchguard.authc.base.RequestAuthenticationProcessor - Authentication failed for null from [request=/.kibana_7.17.9/_search, directIpAddress=172.20.173.95, originatingIpAddress=172.20.173.95, clientCertSubject=null]
Since they occur around the lifecycle policy message and deal with the .kibana_7.17.9/_search command, I suspect that this is some kind of Kibana index cleanup process. These warning are written about every five minutes. Are these warnings something that I need to worry about?
The 172.20.173.95 is the other Kibana server. The 172.17.0.1 address is the docker0 address on the local server.
My elasticsearch.yml:
[root@aln-nbadev4 elasticsearch]# more elasticsearch.yml
---
# Elasticsearch Configuration
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/elasticsearch/reference/current/settings.html
#
# Cluster and Discovery
#
cluster.name: nba_elasticsearch_cluster
discovery.seed_hosts: [ "aln-nbadev4" ]
discovery.type: single-node
path.repo: /usr/share/elasticsearch/aln-nbadev4
#
# Node
#
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: esnode-aln-nbadev4
#
# Paths
#
path.data: /data
path.logs: /logs
#
# Internals
#
bootstrap.memory_lock: false
script.painless.regex.enabled: true
indices.query.bool.max_clause_count: 2048
signals.enabled: false
action.auto_create_index: true
#
# Network
#
network.host: 0.0.0.0
network.publish_host: aln-nbadev4.labs.server.com
http.publish_host: aln-nbadev4.labs.server.com
http.port: 9200
http.max_content_length: 100mb
http.compression: false
transport.publish_host: aln-nbadev4.labs.server.com
transport.port: 9300
transport.compress: true
#
# Security General
#
searchguard.enterprise_modules_enabled: false
searchguard.config_index_name: searchguard
searchguard.roles_mapping_resolution: MAPPING_ONLY
searchguard.nodes_dn:
- "CN=esnode-*,OU=nBA,O=Company,L=City,ST=MA,C=US"
searchguard.authcz.admin_dn:
- "CN=esadmin,OU=nBA,O=Company,L=City,ST=MA,C=US"
xpack.security.enabled: false
searchguard.restapi.roles_enabled: ["SGS_ALL_ACCESS"]
#
# Transport Layer Security
#
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.pemcert_filepath: certs/esnode.pem
searchguard.ssl.transport.pemkey_filepath: certs/esnode.key
searchguard.ssl.transport.pemkey_password: ${ES_ADMIN_PASSWORD}
searchguard.ssl.transport.pemtrustedcas_filepath: certs/cacert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.transport.resolve_hostname: false
searchguard.ssl.transport.enabled_protocols:
- "TLSv1.2"
- "TLSv1.3"
#
# REST Layer Security
#
searchguard.ssl.http.enabled: true
searchguard.ssl.http.pemcert_filepath: certs/esnode.pem
searchguard.ssl.http.pemkey_filepath: certs/esnode.key
searchguard.ssl.http.pemkey_password: ${ES_ADMIN_PASSWORD}
searchguard.ssl.http.pemtrustedcas_filepath: certs/cacert.pem
searchguard.ssl.http.clientauth_mode: OPTIONAL
searchguard.ssl.http.enabled_protocols:
- "TLSv1.2"
- "TLSv1.3"
# Disable geoip indexing
ingest.geoip.downloader.enabled: false
# Increase the grok timeout
ingest.grok.watchdog.max_execution_time: 5s