Elasticsearch SIEM with Search Guard

Hey, is it possible to use the Elasticsearch SIEM (Detection Engine, etc.) feature with Search Guard?

We are having some kind of weird issue where ES is trying to access _security index and since index names starting with an underscore are invalid, it fails.

This happens with an administrator user, so in theory it should have full access to everything.

Elasticsearch version:
7.16.2
Describe the issue:
Upon clicking on Security in Kibana, it emits this message:
“name”: “Error”,
“body”: {
“message”: “security_exception: Unexpected exception indices:data/write/index”,
“status_code”: 500
},

Steps to reproduce:

  1. install Elasticsearch 7.16.2, Kibana 7.16.2 with Search Guard
  2. open Kibana, click on Security

Logs
In the logs this appears:
[2022-01-20T20:41:55,506][ERROR][c.f.s.f.SearchGuardFilter] [erfkibanbd01.erfk.kozpont.otp] Unexpected exception [_security] InvalidIndexNameException[Invalid index name [security], must not start with '’.]
…java stack trace continues
[2022-01-20T20:41:55,508][WARN ][r.suppressed ] [myhost.example.com path: /_security/user/_has_privileges, params: {index=_security, id=_has_privileges, type=user}
org.elasticsearch.ElasticsearchSecurityException: Unexpected exception indices:data/write/index
…java stack trace continues

@swi This does not appear to be possible, as xpack.security is disabled.

There is a similar case here

This is to do with _security HTTP/REST handler missing as xpack.security is disabled.

Best way to check supported features is to refer to docs here if its not listed, it’s either not compatible or works but has issues.

Thank you, I will install a new, smaller cluster for this purpose with xpack + basic security then.

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.