Elasticsearch Audit Logs decipher

I am looking at the Elasticsearch Audit logs and i am getting an authentication denied for User Elastic, why would our servers be authenticating against our Elasticsearch nodes when we are getting logs from the beats and there are indexes tied to the logs

What is this request need to track it down as it is flooding our logs

{"type":"audit", "timestamp":"2023-11-20T20:56:24,845+0000", "node.id":"{NodeID}", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"{IPADDRESS}:55506", "url.path":"/", "request.method":"GET", "request.id":"{REQUESTID}"}

The url.path shows you what was the endpoint of this request, since it is showing /, this is the same as curl https://your-host:9200.

Do you now the ip address in the origin.address field?

Is your Instance exposed to the public internet?

Yeah , so these logs are coming from a data node, and the origin IP is ( all over the place ) but this specific instance is coming from our coordinating node, ( has multiple beats , kibana , elasticsearch on it ) and no its internal

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.