Error creating private tenant index pattern

#1

I’m trying to create index patterns for a private tenant.
I have one index pattern that gives me errors every time I try to create an index pattern. All the others work fine. The elasticsearch.username (the account defined in kibana.yml) has had it’s privileges increased to sg_all_access to make sure it’s not a privilege issue. Log levels for logger.com.floragunn and logger.org.elasticsearch.action are set to debug. I can’t seem to find a log event that explains why.

Here is the error:

Saved object is missing
Could not locate that index-pattern (id: 3aa68110-6dcb-11e9-9c91-99a8153e24c5), click here to re-create it

Clicking to recreate does not fix the issue.

I’ve tried deleting the private index and recreating it. The private index says it healthy, and all the other index patterns work fine.

How can I best diagnose this issue?

Thanks,

Petersearchguard_forum_post_data.tar.gz (1.3 MB)

#2

The index pattern giving the error is: wazuh-a*

assigned jkressin #3
#4

I had a look at the configs and log files you attached (thanks for posting them, this is always really helpful). Everything looks fine to me, and I too cannot spot any suspicious entry. I also could not reproduce the issue here locally :frowning:

So let me ask some questions and hopefully, we will be able to reproduce the issue:

  • Which exact version of the Kibana plugin and SG are you running?
  • Is the same index pattern working when you try to create it in the GLOBAL tenant?
  • After creating the index pattern in the private tenant, can you have a look at the tenant index directly? And see if it contains an index pattern with the ID Kibana complains about?

We did have an issue similar to yours, but it was already a long while ago, and it would only happen when the GLOBAL tenant was disabled. So it sounds familiar, but it should not surface with the configuration you are using.

#5

Which exact version of the Kibana plugin and SG are you running?

Kibana: 6.4.0
SG: 6.4.0-32.0

Is the same index pattern working when you try to create it in
the GLOBAL tenant?

Yes

After creating the index pattern in the private tenant, can you have a
look at the tenant index directly? And see if it contains an index
pattern with the ID Kibana complains about?

Long answer, see attached.

But I don’t see a reference to the id in the error message: "index-pattern (id: 3aa68110-6dcb-11e9-9c91-99a8153e24c5)"more_info_searchguard_forum_post.txt (20.0 KB)

#6

Update:

Regarding the error “Could not locate that index-pattern (id: 3aa68110-6dcb-11e9-9c91-99a8153e24c5)”, I do see that id number if with the private tenant selected, I then select Management, Saved Objects, and Export. The export contains:

{
“_id”: “3aa68110-6dcb-11e9-9c91-99a8153e24c5”,
“_type”: “index-pattern”,
“_source”: {
“title”: “wazuh-a*”,
“timeFieldName”: “@timestamp
},
“_meta”: {
“savedObjectVersion”: 2
}
}

#7

When I export the global tenant, and look at wazuh-a* in the export file, the fields list is very large. Perhaps that is why it fails. I’ve attached the fields list from wazuh-a* in global, and called it add.json.gz.add.json.gz (13.4 KB)

#8

You are running an older version of Search Guard, so I am pretty sure you hit a bug when a tenant index was created but the mapping for that index was not applied correctly. This would lead to the index pattern created in the index (as you have shown in your last post) but could not be retrieved afterward. Could you please try to upgrade, preferably to a Kibana plugin version 18.3 which is available for ES > 6.5.1:

#9

Thanks, I’ll look into upgrading. In the mean time I’ve found a work around, by removing the private tenant .kibana index, closing several older indexes, and rebooting ES and Kibana, and trying again. Although it took several attempts, eventually I was able to create all the index patterns I needed in the private tenant.

Then I exported them so they can be added back easily.

I have a question about exporting though. Is it safe to export from one private tenant to another?

Is it safe to export from the global tenant to a private tenant?

Thanks,

#10

Yes, this should be safe. Multi tenancy works by creating a separate “.kibana” index for every tenant. For Kibana this is totally transparent, since rewriting the index happens on the Elasticsearch side.

In other words, Kibana is agnostic to whether the saved objects come from the global, private or a named tenant.