Unable to create Watch using UI

Search Guard
1

Elasticsearch version:
7.10.2
Server OS version:
ubuntu
Kibana version (if relevant):
7.10.2
Browser version (if relevant):
Version 99.0.4844.74
Describe the issue:
Open Kibana as user with SGS_ALL_ACCESS tole, go to Search Guard → Signals
Click Add → Watch
Enter name “test”, click create
AR: Error message “Problem with validation. Please try again”, also GET https://HOST/kibana/api/searchguard-signals/watch/test status 404

Work around: edit watch after creating blank watch using DB Tools:

PUT /_signals/watch/_main/test
{
  "_ui": {
    "watchType": "graph"
  },
    "trigger": {
    "schedule": {
      "interval": [
        "1m"
      ]
    }
  },
  "checks": [  ],
  "actions": [],
  "active": false
}

The same story with creating Account:
Problem with validation. Please try again
GET https://HOTS/kibana/api/searchguard-signals/account/slack/test 404

Work around: create using DB Tools

PUT /_signals/account/slack/account_name
{
    "url": "https://hooks.slack.com/services/R22RX3E2K/B039STSDK3G/8e6EiWm3hJdh8ner3gy53u7p"
}
2

@trautw Can you confirm which version of searchguard plugin you are using for es and kibana?

Also can you confirm if you entered the needed information in the watch (like type, index and time field) prior to clicking create?

3

We tried plugin v 52.7.0 for 7.10.2, also 53.1.0 for 7.16.3

Yes, we entered all details in form. If some details were not provided, we received several errors.
In case of account creating the same story - as soon as we entered some name, error appears, and it doesn’t disappearing in case of URL provided. As soon as field ‘Url’ lost focus, page request api/searchguard-signals/account/slack/test page and got 404.

4

@trautw I’m testing using es/kibana 7.10.2 (not oss version), with searchguard-es plugin 53.1 and searchguard-kibana plugin 53.0.

Following these steps:
‘’’
Open Kibana as user with SGS_ALL_ACCESS role, go to Search Guard → Signals
Click Add → Watch
Enter name “test” (with the rest of the details), click create
‘’’
Can you elaborate where you are seeing the errors after clicking create in UI, is it in UI itself, kibana logs or es logs?

Can you also provide your elasticsearch.yaml and kibana.yaml (please redact any sensitive information if needed)

5

I see errors in UI (text message), in Google Chrome developers tools (404), also in kibana pod logs:


kibana {"type":"response","@timestamp":"2022-04-07T12:09:25Z","tags":[],"pid":7,"method":"get","statusCode":404,"req":{"url":"/api/searchguard-signals/watch/t
est","method":"get","headers":{"host":"20.121.231.84","user-agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chr
ome/99.0.4844.74 Safari/537.36","accept":"*/*","accept-encoding":"gzip, deflate, br","accept-language":"ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7,fr;q=0.6","content
-type":"application/json","dnt":"1","kbn-version":"7.10.2","referer":"https://20.121.231.84/kibana/app/searchguard-signals","sec-ch-ua":"\" Not A;Brand\";v=\"
99\", \"Chromium\";v=\"99\", \"Google Chrome\";v=\"99\"","sec-ch-ua-mobile":"?0","sec-ch-ua-platform":"\"macOS\"","sec-fetch-dest":"empty","sec-fetch-mode":"c
ors","sec-fetch-site":"same-origin","x-forwarded-access-token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJ1NF9aOXc4ZHJ2aGZXMjhaRUJZeWt4RlprLVBubWtQMF
96TU5JTVEtZGtFIn0.eyJleHAiOjE2NDkzMzM5MTcsImlhdCI6MTY0OTMzMzMxNywiYXV0aF90aW1lIjoxNjQ5MzI4MTA1LCJqdGkiOiJlMjhiY2RlYi1jNDQ5LTQzYmYtOTM5YS05MjM5Y2FmZjM2NWMiLCJp
c3MiOiJodHRwczovLzIwLjEyMS4yMzEuODQvYXV0aC9yZWFsbXMva3VibHItdWkiLCJhdWQiOlsibG9nZ2luZy1raWJhbmEiLCJyZWFsbS1tYW5hZ2VtZW50IiwiYWNjb3VudCJdLCJzdWIiOiIwYzU5YjlhMy
04Yjc4LTQ2NGUtYWQ0ZC1jNjkzYTExMjZmNzkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJsb2dnaW5nLWtpYmFuYSIsInNlc3Npb25fc3RhdGUiOiIzNWQ3NWVlYi1lZGMyLTQyMTMtYmVlNC01NzQ5ZTMzNDhl
ZDIiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwiYWRtaW4iLCJ1bWFfYXV0aG9yaXphdGlvbiIsInVzZXIiXX0sIn
Jlc291cmNlX2FjY2VzcyI6eyJyZWFsbS1tYW5hZ2VtZW50Ijp7InJvbGVzIjpbInZpZXctcmVhbG0iLCJ2aWV3LWlkZW50aXR5LXByb3ZpZGVycyIsIm1hbmFnZS1pZGVudGl0eS1wcm92aWRlcnMiLCJpbXBl
cnNvbmF0aW9uIiwicmVhbG0tYWRtaW4iLCJjcmVhdGUtY2xpZW50IiwibWFuYWdlLXVzZXJzIiwicXVlcnktcmVhbG1zIiwidmlldy1hdXRob3JpemF0aW9uIiwicXVlcnktY2xpZW50cyIsInF1ZXJ5LXVzZX
JzIiwibWFuYWdlLWV2ZW50cyIsIm1hbmFnZS1yZWFsbSIsInZpZXctZXZlbnRzIiwidmlldy11c2VycyIsInZpZXctY2xpZW50cyIsIm1hbmFnZS1hdXRob3JpemF0aW9uIiwibWFuYWdlLWNsaWVudHMiLCJx
dWVyeS1ncm91cHMiXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW
1haWwiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwicm9sZXMiOlsib2ZmbGluZV9hY2Nlc3MiLCJhZG1pbiIsInVtYV9hdXRob3JpemF0aW9uIiwidXNlciJdLCJncm91cHMiOlsiS3VibHJEZWZhdWx0VXNlcnMi
LCJLdWJsckZ1bGxBZG1pbnMiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoiYWRtaW4ifQ.xtSCsaQhiQni2-CktJpRPmSqM3Pexloih9wMEnUvFKZfMIXYJDCmxepxfdXoIC2Q-L6IJXVLZi2_YSuzVspCE7jGYIp
26l5VUHmHV1Crwoc-CM7SiSxkYRlW3IS1SRj3Tsn1vHRjmQDCtPvXaOfTS1EFcZe9gUdGsF_FXCo4H486hC0qNybu3EgieRU3rcHbNBa9jxaOxsTTW9LZDZRnZoKs5g8cTddKSSuayYQukItTipIDLctZXQMVD
26ZjaOqGsf4Z2ADmPUTHzt4qwnRG-3WvYwsBVx0yBelruzwUSCVSwgYUfPPqpT53FqROYwRWgfw-QLc-XzXIj066nY_4Q","x-forwarded-email":"0c59b9a3-8b78-464e-ad4d-c693a1126f79","x-f
orwarded-for":"172.16.0.7, 100.96.0.13, 127.0.0.1","x-forwarded-groups":"offline_access,admin,uma_authorization,user","x-forwarded-host":"20.121.231.84","x-fo
rwarded-port":"443","x-forwarded-preferred-username":"admin","x-forwarded-proto":"https","x-forwarded-scheme":"https","x-forwarded-user":"0c59b9a3-8b78-464e-a
d4d-c693a1126f79","x-proxy-roles":"project:default,project:project-system,offline_access,admin,uma_authorization,user","x-proxy-user":"admin","x-real-ip":"172.16.0.
7","x-request-id":"518cff565eaaf7a666a516e3d42eca05","x-scheme":"https"},"remoteAddress":"127.0.0.1","userAgent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15
_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36","referer":"https://20.121.231.84/kibana/app/searchguard-signals"},"res":{"status
Code":404,"responseTime":53,"contentLength":9},"message":"GET /api/searchguard-signals/watch/test 404 53ms - 9.0B"}      

  "elasticsearch.yml": "
    action.auto_create_index: true
    cluster.initial_master_nodes: project-logging-elasticsearch-master-0
    cluster.name: elasticsearch
    discovery.seed_hosts: project-logging-elasticsearch-discovery.project
    network.host: 0.0.0.0
    node.name: ${HOSTNAME}
    node.processors: 2
    searchguard.authcz.admin_dn:
    - CN=sgadmin,O=project
    searchguard.enterprise_modules_enabled: false
    searchguard.nodes_dn:
    - CN=node,O=project
    searchguard.ssl.http.clientauth_mode: OPTIONAL
    searchguard.ssl.http.enabled: true
    searchguard.ssl.http.pemcert_filepath: certificates/node_http.pem
    searchguard.ssl.http.pemkey_filepath: certificates/node_http.key
    searchguard.ssl.http.pemtrustedcas_filepath: certificates/root-ca.pem
    searchguard.ssl.transport.enforce_hostname_verification: false
    searchguard.ssl.transport.pemcert_filepath: certificates/node.pem
    searchguard.ssl.transport.pemkey_filepath: certificates/node.key
    searchguard.ssl.transport.pemtrustedcas_filepath: certificates/root-ca.pem
    searchguard.ssl.transport.resolve_hostname: false
    xpack.ml.enabled: ${XPACK_ML_ENABLED:false}
    xpack.security.enabled: ${XPACK_SECURITY_ENABLED:false}
    xpack.watcher.enabled: ${XPACK_WATCHER_ENABLED:false}
    ",


  "kibana.yml": "
    elasticsearch.hosts: https://project-logging-elasticsearch-client.project:9200
    elasticsearch.password: ${KIBANA_PASSWORD}
    elasticsearch.requestHeadersWhitelist:
    - Authorization
    - sgtenant
    - x-forwarded-for
    - x-forwarded-by
    - x-proxy-user
    - x-proxy-roles
    elasticsearch.requestTimeout: 300000
    elasticsearch.shardTimeout: 0
    elasticsearch.ssl.certificate: /usr/share/kibana/config/certificates/kibana.pem
    elasticsearch.ssl.certificateAuthorities: /usr/share/kibana/config/certificates/root-ca.pem
    elasticsearch.ssl.key: /usr/share/kibana/config/certificates/kibana.key
    elasticsearch.ssl.verificationMode: certificate
    elasticsearch.username: system.kibanaserver
    logging.quiet: false
    searchguard.allow_client_certificates: true
    searchguard.auth.type: proxy
    server.basePath: /kibana
    server.host: 0.0.0.0
    server.rewriteBasePath: true
    status.allowAnonymous: true
    xpack.security.enabled: false"

watch
watch1304×738 74.4 KB

6

@trautw I’m not able to reproduce, can you try with the plugin version mentioned above, also can you try basic auth instead of proxy and login with admin user (mapped to SGS_ALL_ACCESS - as you have done before)

If the issue is still present, can you do the following:

  1. Retrieve and attach searchguard configuration with below command:
./sgadmin.sh -icl -key "../kirk-key.pem" -cert "../kirk.pem" -cacert "../root-ca.pem" -nhnv -r
  1. Upload full elasticsearch and kibana logs

Can you also confirm below values are all false:

xpack.ml.enabled: ${XPACK_ML_ENABLED:false}
xpack.security.enabled: ${XPACK_SECURITY_ENABLED:false}
xpack.watcher.enabled: ${XPACK_WATCHER_ENABLED:false}
7

Hello.
I moved to plugin ver 53.1.0 (and 53.0.0 for Kibana), it didn’t help.
Next I changed to basic auth (searchguard.auth.type: “basicauth”), and now can create watch and account.
Same time I see 404 in Chrome Dev Tools during creating of Account, as with proxy auth. Also 404 for creating of Watch.

So, problem repeated for proxy authorization which we use.

8

@trautw
Can you provide your sg_config.yaml file, with the proxy auth enabled?

9

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.