I’m trying to bridge our security onion appliance in with our larger elasticsearch data store, but the X-Pack authentication within security onion doesn’t seem to play well with Searchguard. I’ve configured the remote cluster using public PKI, but I can’t get search to work. Are there any tips to get this working?
No user found for indices:data/read/search from /192.168.1.4:41768 TRANSPORT via transport {_xpack_audit_request_id=xxxxxxxxx, trace.id=xxxxxxxxxxxx, _system_index_access_allowed=false, _sg_initial_action_class_header=SearchRequest, _xpack_security_authentication=xxxxxxxxxxxxxxxxxxxxxx}
How are your clusters set up? Does the “security onion” integrate with X-Pack and does your “larger elasticsearch data store” has SearchGuard installed (what is the version of SearchGuard)?
If so, how do you pass credentials from security onion to SearchGuard?
So my primary cluster is 8 nodes: 5 data (4 hot + 1 cold), 2 ingest, 1 web. That cluster is configured with Searchguard and public PKI certs for all ports.
Security Onion is a standalone server, which includes x-pack by default and uses it internally. I’ve also configured this with public PKI certs for 9200 and 9300.
Using Search across clusters | Elasticsearch Guide [8.13] | Elastic as my basis, I have certificates that are trusted by both servers, and added the primary cluster in kibana using ‘remote clusters’. That part of it seems to work as the remote cluster shows as green, but actually trying to query against the remote cluster returns an error like the one in my original message.
I’ve tried setting up anonymous auth, adding the cert for security onion as a user, and a handful of other things, but haven’t found a way to resolve that error/message.