Index has disappeared

juancamiloll · November 23, 2023, 9:20pm

Hello

I have several sources that ELK processes, as you know from /etc/logstash/conf.d a .conf file is created for each of the sources to be processed either by GROK or CSV, I don't know if there is another way.

One of my sources has simply disappeared when I log in from Kibana, click on the gear and search for the index name from "Index Management". The others are intact

This is the final part of the file to show you that every day he generates an index " index => "antivirus-%{+yyyyy.MM.dd}"""

In which log should I trace errors that have caused this outcome?
In case it was someone from Kibana, is there any log to know which user or ip was involved? (although I doubt it because it is simply put the IP in the browser and the port :5601 and there is immediate access).
I have the logs in RAW mode in a folder, how can I make ELK read them again and process them specifying the path where the logs are in RAW?

Thanks as always for your valuable help


.
.
.
        else if ([message] =~ /GNRL_EV_OBJECT_CURED|Objeto desinfectado/){

                grok {
                match => { "message" => ["%{SYSLOGTIMESTAMP:timestamp} %{SYSLOGHOST:logsource} CEF: %{DATA:cef}\|%{DATA:vendor}\|%{DATA:p
roduct}\|%{DATA:version}\|%{DATA:event}\|%{DATA:event_desc}\|%{DATA:severity}\|msg=%{DATA:msg} rt=%{DATA:rt} cs9=%{DATA:cs9} cs9Label=%{D
ATA:cs9label} dhost=%{DATA:dhost} dst=%{DATA:dst} cs2=%{DATA:cs2} cs2Label=%{DATA:cs2Label} cs3=%{DATA:cs3} cs3Label=%{DATA:cs3Label} cs1
0=%{DATA:cs10} cs10Label=%{DATA:cs10label} filePath=%{DATA:filePath} duser=%{GREEDYDATA:duser}"]}
                }
                mutate{
                add_tag => [ "objetivo desinfectado"]
                replace => [ "host", "%{logsource}" ]
                }

                date {
                target => "@timestamp"
                match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss,SSS" ]
                timezone => "America/Bogota"
                }
        }

}
}

output {
    if "AV" in [tags] {
        elasticsearch {
            index => "antivirus-%{+yyyy.MM.dd}"
            hosts => ["localhost:9200"]
        }
    }
}

leandrojmp · November 23, 2023, 9:48pm

Is your Kibana or Elasticsearch exposed to the public internet?

juancamiloll · November 23, 2023, 9:55pm

@leandrojmp It is exposed to the internet but the operating system firewall is enabled, so only IPs that I add to the firewall permits with the command sudo ufw allow from xx.xx.xx.xx.xx to any port 5601 can load Kibana.

leandrojmp · November 23, 2023, 10:07pm

Yeah, but about port 9200? Is it also behind the firewall?

Or is just Kibana that is exposed to the internet?

Elasticsearch itself does not remove any index, an index is deleted in two cases:

Someone/Something make a request to delete the index
You have a Index Lifecycle Policy that will delete the index after some time.

If you do not have an Index Lifecycle Policy configured for your indices, then someone/something made a request to your Elasticsearch to delete the index.

When an index is deleted it will be logged in Elasticsearch logs, but you will not have any information about the request to delete it, this is only possible with audit enabled, which is a paid feature.

From what you shared, it seems that your cluster also does not have authentication enabled and the cluster being exposed to the internet without authentication is always a risk.

You need to check your firewall rules to see if it is indeed blocking undesired access.

juancamiloll · November 23, 2023, 10:29pm

Two more questions

How do I look at the life cycle?
Is there any way to do some kind of audit activity from the kibana.yml file?

I use ELK 7.6.0

leandrojmp · November 23, 2023, 10:47pm

7.6 is pretty old, I'm not sure that it already had a ILM interface in Kibana, you can check it going to Stack Management and see if you see an option named Index Lifecycle Policies.

If this does not exist, you can use the APIs to see if there is any ILM policy, as explained in the documentation.

But if you or anyone else who has access to your cluster didn´t create any Index life cycle policy, then you will not have it as it is not created automatically.

As mentioned, a cluster without Authentication is a risk, a cluster exposed to the internet without authentication is a bigger risk.

Only if you have a paid license, the audit features are all paid.

system · December 21, 2023, 10:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.