Elasticsearch Audit Logs decipher

Brian-cf1 · November 21, 2023, 4:10pm

I am looking at the Elasticsearch Audit logs and i am getting an authentication denied for User Elastic, why would our servers be authenticating against our Elasticsearch nodes when we are getting logs from the beats and there are indexes tied to the logs

What is this request need to track it down as it is flooding our logs

{"type":"audit", "timestamp":"2023-11-20T20:56:24,845+0000", "node.id":"{NodeID}", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"{IPADDRESS}:55506", "url.path":"/", "request.method":"GET", "request.id":"{REQUESTID}"}

leandrojmp · November 21, 2023, 4:24pm

The url.path shows you what was the endpoint of this request, since it is showing /, this is the same as curl https://your-host:9200.

Do you now the ip address in the origin.address field?

Is your Instance exposed to the public internet?

Brian-cf1 · November 21, 2023, 4:33pm

Yeah , so these logs are coming from a data node, and the origin IP is ( all over the place ) but this specific instance is coming from our coordinating node, ( has multiple beats , kibana , elasticsearch on it ) and no its internal