Elasticsearch Audit Logs decipher

Brian-cf1 · November 21, 2023, 4:10pm

I am looking at the Elasticsearch Audit logs and i am getting an authentication denied for User Elastic, why would our servers be authenticating against our Elasticsearch nodes when we are getting logs from the beats and there are indexes tied to the logs

What is this request need to track it down as it is flooding our logs

{"type":"audit", "timestamp":"2023-11-20T20:56:24,845+0000", "node.id":"{NodeID}", "event.type":"rest", "event.action":"authentication_failed", "user.name":"elastic", "origin.type":"rest", "origin.address":"{IPADDRESS}:55506", "url.path":"/", "request.method":"GET", "request.id":"{REQUESTID}"}

leandrojmp · November 21, 2023, 4:24pm

The url.path shows you what was the endpoint of this request, since it is showing /, this is the same as curl https://your-host:9200.

Do you now the ip address in the origin.address field?

Is your Instance exposed to the public internet?

Brian-cf1 · November 21, 2023, 4:33pm

Yeah , so these logs are coming from a data node, and the origin IP is ( all over the place ) but this specific instance is coming from our coordinating node, ( has multiple beats , kibana , elasticsearch on it ) and no its internal

system · December 19, 2023, 4:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Audit authentication failed Elasticsearch	1	511	February 21, 2020
That is an error from the auditbeat client. Any solutions to fix this problem? Beats auditbeat	4	1504	November 22, 2019
Locating rogue clients with authentication errors Elasticsearch	1	266	December 28, 2020
Unable to authenticate user [elastic] for REST request [/] Beats docker , filebeat	2	1007	October 17, 2023
Unable to authenticate user for REST request Beats filebeat	5	7572	October 22, 2020

Elasticsearch Audit Logs decipher

Related topics