I am running ELK stack 8.1 in our production environment and would like to create cases based on the log alerts we're filtering using grok pattern.
As I understood correctly beginning 8.2 version, we have an option to create cases manually from "Stack Management -> Alerts and Insights -> Cases", however, until 8.1, the cases can only be created using APIs.
I have referred the following knowledge base article -
I am assuming in 8.1, once a case is created via API, it would show up under "Observability -> Cases" as I don't see it under "Stack Management". Please correct me if I am wrong.
Going with the article above, when I tried creating a case via API using POSTMAN, I got the following error -
{
"statusCode": 500,
"error": "Internal Server Error",
"message": "Unable to create actions client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command."
}
I would like to know if it is mandatory to have encryption key enabled to utilise this case creation functionality. Additionally, this is a 3-node cluster, if encryption is enabled on the primary node (assuming the other 2 nodes will get synchronised), will it break the existing cluster in any manner?
I don't think this is true, Cases is part of the Security UI and you have the Security UI available in Kibana 8.1 as you can check in the documentation.
Not sure if it was made available also in the Stack Management UI, but it is available in the Security UI.
Yes it is, but this is related to the xpack.encryptedSavedObjects.encryptionKey, which is a random key used to encrypt settings and rules before storing then in Elasticsearch, it is not related to the encrypted communications between nodes.
Can you provide more context? On 8.X security is enabled per default, so the communicaton between your nodes should be already using TLS, unless you explicitly disabled it.
But again, this is different from the error you got, which is related to Kibana.
Did you set xpack.encryptedSavedObjects.encryptionKey in kibana.yml as described in your error log? This is required, Alerts and Cases will not work without it.
"Unable to create actions client because the Encrypted Saved Objects plugin is missing encryption key. Please set xpack.encryptedSavedObjects.encryptionKey in the kibana.yml or use the bin/kibana-encryption-keys command."
You can check the documentation on how to create it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.