Check Elasticsearch index pattern --Error

[BayoA]

Hello Team,

I'm seeing the following errors in my elasticsearch log and I can't seem to understand it;

Kindly assist

[2021-05-02T23:57:55,529][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:monitor/stats]

[2021-05-02T23:57:55,530][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:admin/mappings/get]

[2021-05-02T23:58:55,524][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [wazuh_ui_admin, own_index, kibana_server]]

[2021-05-02T23:58:55,524][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:admin/mappings/get]

[2021-05-02T23:58:55,524][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[wazuh-statistics-2021.18w, wazuh-monitoring-2021.05.02, security-auditlog-2021.05.02], types=[*], originalRequested=[rsa.*, *magento2*, *squarespace*, *weebly*, logs-endpoint.*, *artifactory*, squid.*, *barracuda*, *bluecoat*, .app-search-*, rsa_*, *sonicwall*, *cylance*, *meow*, *cyberark*, *checkpoint*, fluentd*, *tomcat*, snort-*, *magento*, rsa-*, *drupal*, logstash-*, pan-*, *fortinet*, *symantec*, *sophos*, *nginx*, squid-*, *acquia*, *kaspersky*, apm-*, winlogbeat-*, *citrix*, logstash-snort*, .ent-search-*, arcsight-*, squid_*, *-*-*, pan.*, telegraf*, *paloaltonetworks*, *cisco*, functionbeat-*, pan_*, metrics-endpoint.*, *tippingpoint*, *sigma_doc*, *suricata*, *joomla*, endgame-*, *wazuh*, packetbeat-*, *aruba*, *search*, *zscaler*, *zeek*, *fireeye*, *shopify*, *apache*, *sharepoint*, .siem-signals-*, *sitecore*, *infoblox*, *wordpress*, *mcafee*, filebeat-*, prometheusbeat*, auditbeat-*, ecs-corelight*, *tripwire*, heartbeat-*, *trendmicro*, metricbeat-*, fluentbit*], remoteIndices=[]] [Action [indices:monitor/stats]] [RolesChecked [wazuh_ui_admin, own_index, kibana_server]]

[2021-05-02T23:58:55,525][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:monitor/stats]

[2021-05-02T23:59:19,205][INFO ][c.a.o.j.s.JobSweeper     ] [saelk] Running full sweep

[2021-05-02T23:59:55,522][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[*], allIndices=[*], types=[*], originalRequested=[*], remoteIndices=[]] [Action [indices:admin/mappings/get]] [RolesChecked [wazuh_ui_admin, own_index, kibana_server]]

[2021-05-02T23:59:55,522][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:admin/mappings/get]

[2021-05-02T23:59:55,522][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No index-level perm match for User [name=kibanaserver, backend_roles=[], requestedTenant=null] Resolved [aliases=[], allIndices=[wazuh-statistics-2021.18w, wazuh-monitoring-2021.05.02, security-auditlog-2021.05.02], types=[*], originalRequested=[rsa.*, *magento2*, *squarespace*, *weebly*, logs-endpoint.*, *artifactory*, squid.*, *barracuda*, *bluecoat*, .app-search-*, rsa_*, *sonicwall*, *cylance*, *meow*, *cyberark*, *checkpoint*, fluentd*, *tomcat*, snort-*, *magento*, rsa-*, *drupal*, logstash-*, pan-*, *fortinet*, *symantec*, *sophos*, *nginx*, squid-*, *acquia*, *kaspersky*, apm-*, winlogbeat-*, *citrix*, logstash-snort*, .ent-search-*, arcsight-*, squid_*, *-*-*, pan.*, telegraf*, *paloaltonetworks*, *cisco*, functionbeat-*, pan_*, metrics-endpoint.*, *tippingpoint*, *sigma_doc*, *suricata*, *joomla*, endgame-*, *wazuh*, packetbeat-*, *aruba*, *search*, *zscaler*, *zeek*, *fireeye*, *shopify*, *apache*, *sharepoint*, .siem-signals-*, *sitecore*, *infoblox*, *wordpress*, *mcafee*, filebeat-*, prometheusbeat*, auditbeat-*, ecs-corelight*, *tripwire*, heartbeat-*, *trendmicro*, metricbeat-*, fluentbit*], remoteIndices=[]] [Action [indices:monitor/stats]] [RolesChecked [wazuh_ui_admin, own_index, kibana_server]]

[2021-05-02T23:59:55,522][INFO ][c.a.o.s.p.PrivilegesEvaluator] [saelk] No permissions for [indices:monitor/stats]

In my Wazuh logs I also see this;

2021/05/03 19:20:38 INFO: unknown_user x.x.x.x "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.001s: 401

2021/05/03 19:20:38 INFO: unknown_user x.x.x.x "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.001s: 401

Thank you

Regards,

Bayo

[Franco Charriol]

Hi Bayo,

It seems a issue with the permissions for the user kibanaserver, Wazuh use them to performe all request to the Elasticsearch API.
In order to be able to help you:
could you share which version of Wazuh, Elastic are you using, please?
are you using Opendistro or X-Pack plugins in addition to Wazuh? which version?

Also, could you share from the section Kibana / Security all the Roles where the user kibanaserver is mapped in, like in the screenshot?

Best

[BayoA]

Hi Franco,

My version of wazuh is 4.1 while elasticsearch version is 7.10.0, I used the distributed deployment  unattended installation option.
I used the opendistro version that comes with the unattended installation.

I have attached screenshot

Regards,

Bayo

[Franco Charriol]

Thanks for share the info.

It seems to be ok, check ensure your role wazuh_ui_admin has the  indices_all in index permissions for wazuh-*

Also, I was searching about the Opendistro INFO logs about No permissions and find out some issues migrating from Opendistro 1.10, but I thing is not your case.

Regarding the Wazuh logs that you mentioned

In my Wazuh logs I also see this;

2021/05/03 19:20:38 INFO: unknown_user x.x.x.x "GET /manager/stats/remoted" with parameters {"pretty": ""} and body {} done in 0.001s: 401

2021/05/03 19:20:38 INFO: unknown_user x.x.x.x "GET /manager/stats/analysisd" with parameters {"pretty": ""} and body {} done in 0.001s: 401

Where are you getting them from?

But they seem common request from the Wazuh App when it starts before an user is logged in or with a expired token.

	Soft Alliance and Resources Limited 9, NERDC Road. Ojuolape House, CBD, Alausa. Ikeja. Lagos. Nigeria.
	in...@softalliance.com
	www.softalliance.com
	+234 701 999 9339, +234 812 993 7210
DISCLAIMER: Click Here to Read

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/Q-goVtadUi8/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f394b818-68c6-45a2-bd5a-78026a8ae2fdn%40googlegroups.com.

[BayoA]

Hi Franco,

Kindly indicate where I would check if the wazuh_ui_admin has the permission  as indicated.

I can't get any result showing on the Security events screen of Kibana, same for other functions like FIM etc.

The unknown_user error is coming from the /var/ossec/logs/api.log

Regards,

Adebayo Adewusi

[BayoA]

Hello Guys,

Is there anyone that can assist me on this, I haven't been able to solve the issue and I can't see event incidents on Kibana.

I would appreciate if anyone can provide solution to this.

Regards,

Bayo

[Franco Charriol]

I'm giving a brief of the topic because Google Groups didn't add the responses, in case it can be of use to someone.

The user follow this guide to install Wazuh manager. But there was an error with the Filebeat certs.
He noticed about it when running this command on the Wazuh manager host

| filebeat test output

getting this result:

Error initializing output: 1 error: open /etc/filebeat/certs/filebeat.pem: no such file or directory /etc/filebeat/certs/filebeat.pem

Then the problem was fixed by following this installation guide. (step 6)