Ingest manager and Kibana alerting 7.8.1

Ingest manager (beta) was introduced in 7.8.0 -

But this required ES Security to be enabled.

Can SG work, in conjunction with ES Security enabled? else I am not 100% sure how we can use this new feature of ingest manager with SG

Currently, SearchGuard supports only the following X-Pack apps:

  • Monitoring
  • Alerting
  • Machine Learning

The ingest manager is a new experimental X-Pack app. We will look into it to see whether support can be introduced.

1 Like

Does SG support

As, when I try this I get error - “Unable to load alert state:”

I haven’t tried this. Looking at prerequisites, I would say it should work.

Btw, Search Guard has a built-in alerting system - Signals. Here are some docs and video:

Yes, I was going to create Index alerting from ES/Kibana alerts and actions. And then use SG’s Alerting app to fire those alerts to Slack/pagerduty etc.

Was able to see this error

{“type”:“log”,"@timestamp":“2020-08-13T20:07:05Z”,“tags”:[“error”,“plugins”,“alerting”,“plugins”,“alerting”],“pid”:8,“message”:“enable(): Failed to load API key to invalidate on alert a7c15802-3c04-452d-b836-2efde02c09ae: Saved object [alert/a7c15802-3c04-452d-b836-2efde02c09ae] not found”}

Do, we need to add rules/roles in SG to allow creation of Saved Objects alert/<>

The Elastic Kibana Alerting and the Search Guard Signals Alerting are two completely separate applications. Signals is an Elasticsearch plugin that runs watches inside your ES cluster, similar to Elastic Watcher. The Kibana Alerting from Elasticsearch runs completely in Kibana. So the two apps are not compatible with each other.

@sc75651 I see Kibana alerting supports Webhook and Index actions. You can integrate Signals and Kibana alerting using one of this actions.

For example

  1. Setup a Kibana alert to index docs when triggered.
  2. Setup a Signals watch to periodically search for the documents in the Kibana alert index and do one of the available actions.

“type”:“log”,"@timestamp":“2020-08-13T20:07:05Z”,“tags”:[“error”,“plugins”,“alerting”,“plugins”,“alerting”],“pid”:8,“message”:“enable(): Failed to load API key to invalidate on alert a7c15802-3c04-452d-b836-2efde02c09ae: Saved object [alert/a7c15802-3c04-452d-b836-2efde02c09ae] not found”}
Do, we need to add rules/roles in SG to allow creation of Saved Objects alert/<>

See if you have any other errors in the Elasticsearch log. Usually, there is a hint for the required permission.

Thanks for quick reply, yes we are trying to do same thing… hard luck finding any errors in ES, but only Kibana throws errors mentioned above, hence seem it is UI based as Kibana alerts are originated and executed by them and not ES

We tested with ELK Stack without SG and above Example - Step 1 works, seems After adding SG to mix some permissions are not allowing the Alert to be fired.

Observation from ELK (Without SG and Security)
1 - Alert Created
2 - Attached Actions
3 - Enabled Alert (and this went active)

So, seems SG might be blocking https://kibana/api/alert/61409c90-dda8-11ea-830e-332c8e77d0a1 from execution…

We get 404, on the page where the alert is

{statusCode: 404, error: "Not Found",…} error: "Not Found" message: "Saved object [task/61409c90-dda8-11ea-830e-332c8e77d0a1] not found" statusCode: 404

Just to confirm we have SGS_ALL_ACCESS for our tenant,

Any help is appreciated

Ok. I added this to the queue to reproduce. I’ll reach you back when I have more information.

Thank you, do you have ticket which I can follow for updates.

@sc75651 we use Jira to track issues (tickets). And we provide access for the enterprise users. If you have the license but doesn’t have access yet, please contact us here

1 Like

Is this fixed in latest SG release?

Kibana alerting requires to set API keys (impersonation). The debug log warns about this.     | {"type":"log","@timestamp":"2020-09-07T12:45:59Z","tags":["debug","plugins","encryptedSavedObjects"],"pid":7,"message":"The following attributes of saved object \"alert,8abf443b-8953-4b61-a874-fd40ec72b107\" should have been decrypted: apiKey, but found only: "}

Also, it is stated in the documentation.

Kibana alerting uses API keys to secure background alert checks and actions, and API keys require TLS on the HTTP interface.

And API keys are available only if XPack security is enabled, which we don’t support. Thus we can’t support the Kibana alerting right now.

Again, I think you can do all things you want with our Signals alert. You just need to know how to use Elasticsearch DSL to search for the data. Or use the graph mode if you need simple alerts. Here, look at some videos and the documentation

Does the latest 7.9.3 release support this now, as you have added

Hi. No, this feature is not related. Kibana alerting requires to set Kibana API keys. Which is part of the XPack security. And we don’t support it.