Invalid index name [_xpack], must not start with '_'

Search Guard
1

Hi All,
My

**Elasticsearch version:7.2

**Server OS version:oracle linux 7.2

**Kibana version (if relevant):7.2

Describe the issue:

I have configured the searchhguard for elasticsearch and when i am doing a restart i am getting this error

Please help to fix this issue

[ ERROR][c.f.s.f.SearchGuardFilter] [mcp-x.x.x.x] Unexpected exception [_xpack] InvalidIndexNameException[Invalid index name [xpack], must not start with '‘.]
org.elasticsearch.indices.InvalidIndexNameException: Invalid index name [xpack], must not start with '’.
at org.elasticsearch.cluster.metadata.IndexNameExpressionResolver$WildcardExpressionResolver.validateAliasOrIndex(IndexNameExpressionResolver.java:750) ~[elasticsearch-7.2.0.jar:7.2.0]

2

Do you use Elasticsearch OSS version? If yes, do you have any external software that calls _xpack API? The _xpack API is not available in the OSS. Look, we had a similar issue before: Unexpected exception [_xpack] InvalidIndexNameException for Filebeat 6.7.1 - #3 by jkressin

3

Yes I am using Elasticsearch OSS version 7.2.0.

And i am using all oss elk packages .

my elk stack is working fine,after installing and configuring the search guard plugin for elastic search and kibana i am getting this error.

4

I have fixed this current issue after adding the option ilm_enabled => false in logstash configuration.

5

Hi @srgbnd ,

now i have got a new error as my kibana isn’t starting after the elasticsearch issue.

this is the error log from kibana

“type”:“error”,“@timestamp”:“2020-07-23T19:49:17Z”,“tags”:[“connection”,“client”,“error”],“pid”:11228,“level”:“error”,“error”:{“message”:“139953914136384:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n”,“name”:“Error”,“stack”:“Error: 139953914136384:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n”},“message”:“139953914136384:error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown:…/deps/openssl/openssl/ssl/record/rec_layer_s3.c:1407:SSL alert number 46\n”}

also this error is there after manually started the kibana console

image
image1461×169 19.1 KB

please help on this to fix the kibana issue

6

I have fixed this current issue after adding the option ilm_enabled => false in logstash configuration.

Exactly, as I suggested, you used an x-pack feature (ILM) while running the OSS version.

please help on this to fix the kibana issue

We need to see the following configurations in order to help you:

  1. elasticsearch.yml
  2. kibana.yml
  3. sg_config.yml

Did you see a questionnaire when you created this issue? Why did you omit the part where we ask you to provide the configuration? Do you have any suggestions to improve the questionnaire?

7

Next time, please create a new issue for a new problem. Don’t put unrelated problems in one issue.

8

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.