IP filtering and Security audit not working "Trial License"

Abdelhalim · December 1, 2020, 10:06am

Hello,

I am using trial License to try the IP filtering and Security audit (using version 8.0.0), but it's not working.

I added this configuration to my elasticsearch.yml file:

xpack.security.audit.enabled: true
xpack.security.transport.filter.enabled: true
xpack.security.http.filter.enabled: true
xpack.security.http.filter.deny: _all
xpack.security.transport.filter.deny: _all

II tried to deny my IP address and it didn't work, so I decided to try to deny everything and didn't work too.
and for the auditing, I am not seeing any *_audit.json file !

Could you tell me please if the auditing and IP filetring don't work with Trial License, or I am doing something wrong in my configuration !

Thanks for your help

Albert_Zaharovits · December 1, 2020, 3:20pm

Hi @Abdelhalim,

For historical reasons, you must explicitly set xpack.security.enabled: true for basic and trial licenses.

Abdelhalim · December 2, 2020, 11:14am

UPDATE: The auditing is working now, still just IP filtering not working

Thanks for your answer @Albert_Zaharovits,
I am already using xpack.security.enabled: true

here is my whole configuration:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: full
xpack.security.transport.ssl.key: "MASTER.key"
xpack.security.transport.ssl.certificate: "MASTER.crt"
xpack.security.transport.ssl.certificate_authorities: [ "ca.crt" ]

#===============Encryption between Elastic and kibana================
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"
xpack.security.http.ssl.truststore.path: "http.p12"

#===================== Monitoring =========================
xpack.monitoring.collection.enabled: true
xpack.monitoring.elasticsearch.collection.enabled: false

#================= Test audit and IP filtering ====================
xpack.security.audit.enabled: true
xpack.security.transport.filter.enabled: true
xpack.security.http.filter.enabled: true
xpack.security.http.filter.deny: _all
xpack.security.transport.filter: _all

TimV · December 2, 2020, 11:07pm

Elasticsearch 8 hasn't been released yet. Can you clarify exactly what you're running?

Abdelhalim · December 3, 2020, 8:07am

Hi @TimV,
I try Elasticsearch 8.0.0 from source (github) to know if there is significant updates in the SIEM section as it's what I use ELastic for and then wait the release to update my cluster.

system · December 31, 2020, 8:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.