Cases API not working on ELK 8.1

nitisha · March 20, 2023, 11:25am

Hi,

I am running ELK stack 8.1 in our production environment and would like to create cases based on the log alerts we're filtering using grok pattern.

As I understood correctly beginning 8.2 version, we have an option to create cases manually from "Stack Management -> Alerts and Insights -> Cases", however, until 8.1, the cases can only be created using APIs.

I have referred the following knowledge base article -

I am assuming in 8.1, once a case is created via API, it would show up under "Observability -> Cases" as I don't see it under "Stack Management". Please correct me if I am wrong.

Going with the article above, when I tried creating a case via API using POSTMAN, I got the following error -

{
    "statusCode": 500,
    "error": "Internal Server Error",
    "message": "Unable to create actions client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command."
}

I would like to know if it is mandatory to have encryption key enabled to utilise this case creation functionality. Additionally, this is a 3-node cluster, if encryption is enabled on the primary node (assuming the other 2 nodes will get synchronised), will it break the existing cluster in any manner?

Thanks,
Nitish

leandrojmp · March 20, 2023, 11:37am

I don't think this is true, Cases is part of the Security UI and you have the Security UI available in Kibana 8.1 as you can check in the documentation.

Not sure if it was made available also in the Stack Management UI, but it is available in the Security UI.

Yes it is, but this is related to the xpack.encryptedSavedObjects.encryptionKey, which is a random key used to encrypt settings and rules before storing then in Elasticsearch, it is not related to the encrypted communications between nodes.

Can you provide more context? On 8.X security is enabled per default, so the communicaton between your nodes should be already using TLS, unless you explicitly disabled it.

But again, this is different from the error you got, which is related to Kibana.

Cases is a Kibana feature, it runs on Kibana.

nitisha · March 20, 2023, 11:49am

Hi Leandro,

Thanks a lot for the prompt response.

After navigating to "Cases" under "Security" I can see an option to create a case manually. However, I am getting the following error prompts.

Additionally, I haven't explicitly disabled the TLS and is currently enabled.

I am using POST on http://ip:port/api/cases with headers as kbn:xsrf set to true and sending the following json output as body in the same request.

{
  "description": "Trigger a test alert for any device failure",
  "title": "Test-case",
  "tags": [
    "junos_failure",
    "login_failure"
  ],
  "connector": {
    "id": "none",
    "name": "none",
    "type": ".none",
    "fields": null
  },
  "settings": {
    "syncAlerts": true
  },
  "owner": "securitySolution"
}

As you have mentioned that the error which I have received is related to Kibana, if I enable it, will my POST request go through without any errors?

Thanks,
Nitish

leandrojmp · March 20, 2023, 12:07pm

Did you set xpack.encryptedSavedObjects.encryptionKey in kibana.yml as described in your error log? This is required, Alerts and Cases will not work without it.

"Unable to create actions client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command."

You can check the documentation on how to create it.

nitisha · March 21, 2023, 5:52am

Thanks Leandro!

I did the following in order to alleviate the issue:

bin/kibana-encryption-keys generate
Copied the generated encryption keys to kibana.yml.
xpack.encryptedSavedObjects.encryptionKey: ######
xpack.reporting.encryptionKey: #####
xpack.security.encryptionKey: #####
Restarted ElasticSearch and Kibana service.