Hey, is it possible to use the Elasticsearch SIEM (Detection Engine, etc.) feature with Search Guard?
We are having some kind of weird issue where ES is trying to access _security index and since index names starting with an underscore are invalid, it fails.
This happens with an administrator user, so in theory it should have full access to everything.
Elasticsearch version:
7.16.2
Describe the issue:
Upon clicking on Security in Kibana, it emits this message:
“name”: “Error”,
“body”: {
“message”: “security_exception: Unexpected exception indices:data/write/index”,
“status_code”: 500
},
Steps to reproduce:
- install Elasticsearch 7.16.2, Kibana 7.16.2 with Search Guard
- open Kibana, click on Security
Logs
In the logs this appears:
[2022-01-20T20:41:55,506][ERROR][c.f.s.f.SearchGuardFilter] [erfkibanbd01.erfk.kozpont.otp] Unexpected exception [_security] InvalidIndexNameException[Invalid index name [security], must not start with ''.]
…java stack trace continues
[2022-01-20T20:41:55,508][WARN ][r.suppressed ] [myhost.example.com path: /_security/user/_has_privileges, params: {index=_security, id=_has_privileges, type=user}
org.elasticsearch.ElasticsearchSecurityException: Unexpected exception indices:data/write/index
…java stack trace continues