Kibana can't create Index

Elastic Stack Kibana
#1

Hello everyone, I have followed the steps of @knrdv at this post :


and it still does not work
Here is a picture of what I did :

Connector :

image
image1283×495 19.4 KB

Template :

image
image1206×986 57.9 KB

image
image1199×807 61 KB

image
image1205×971 32.3 KB

image
image1204×1005 50.9 KB

image
image1206×985 31.6 KB

image
image1197×704 33.7 KB

image
image1607×1209 157 KB

Alert :

image
image605×841 32.5 KB

image
image600×654 14.5 KB

I have nothing here :

image
image1173×280 13.5 KB

In log i have this :

[15:06:32.581] [error][alerting][alerts][plugins][plugins] Executing Alert "70251e54-16ee-46ea-9b6e-782bb26d6a17" has resulted in Error: Authentication Exception

Can you tell me what I'm doing wrong?

thank you in advance

#2

Anyone have an idea about my last error message?

[15:06:32.581] [error][alerting][alerts][plugins][plugins] Executing Alert "70251e54-16ee-46ea-9b6e-782bb26d6a17" has resulted in Error: Authentication Exception
#3

Hello Funky89!

I assume you have security enabled in ES and Kibana? Otherwise I would expect that you shouldn't see an "Authentication Error" at all.

The reason the index wasn't created was because the alert didn't actually run, or at least run to completion - there's a chance it got all the way to executing the actions, but I'd guess it failed before it even completed whatever the alert was querying on.

In other words, the problem is with the alert, and not the actions.

I'm not used to seeing Authentication errors here, as usually by the time you've created an alert, you've passed through tons of authn/authz, so I'm not quite sure how this happened.

With security on, we create API keys based on the user who last updated the alert, and use that API key as the authentication when the alert runs (and presumably queries an index) and when actions run (eg, the index action writing a document to an index).

You could try updating that API key by disabling the alert, then enabling it - we build a new API key based on the user that enables the alert as well. So give that a try.

I'm also wondering what sort of security you are using to access Kibana / elasticsearch. saml? pki? basic?

Also wondering if there's anything else "security-ish" in your Kibana logs, or ES logs.

#4

Hello @Patrick_Mueller ,

I do not use the security of Kibana but that of Search Guard, I wanted to send emails because this one was free.

By reading your answer I understand that the problem therefore comes from SearchGuard. So I think I used the security on the Kibana side and not Search Guard.

Thanks for showing me the problem, if it doesn't work out anyway, I'll get back to you

Cordially