Kibana logs out after opening SIEM page

Kerwood · October 29, 2019, 12:14pm

Upgrade from 6.x to 7.3.2. Everything works except the SIEM tab. When ever I go to the SIEM tab, I get logged out and redirected to the login page. I'm not using and proxy in front, so thats not the problem.

Elasticsearch/Kibana version: 7.3.2

The logs output this error.

Oct 29 11:19:52 PRESC01 kibana[92260]: { Error: Not Found
Oct 29 11:19:52 PRESC01 kibana[92260]: at handler (/usr/share/kibana/src/legacy/server/http/index.js:113:29)
Oct 29 11:19:52 PRESC01 kibana[92260]: at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)
Oct 29 11:19:52 PRESC01 kibana[92260]: at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)
Oct 29 11:19:52 PRESC01 kibana[92260]: data: null,
Oct 29 11:19:52 PRESC01 kibana[92260]: isBoom: true,
Oct 29 11:19:52 PRESC01 kibana[92260]: isServer: false,
Oct 29 11:19:52 PRESC01 kibana[92260]: output:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404,
Oct 29 11:19:52 PRESC01 kibana[92260]: payload:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404, error: 'Not Found', message: 'Not Found' },
Oct 29 11:19:52 PRESC01 kibana[92260]: headers:
Oct 29 11:19:52 PRESC01 kibana[92260]: { 'kbn-name': 'kibana',
Oct 29 11:19:52 PRESC01 kibana[92260]: 'kbn-xpack-sig': '37fa0a487b714a7c397e35e10c1b1322' } },
Oct 29 11:19:52 PRESC01 kibana[92260]: reformat: [Function],
Oct 29 11:19:52 PRESC01 kibana[92260]: message: 'Not Found',
Oct 29 11:19:52 PRESC01 kibana[92260]: typeof: [Function: notFound] }
Oct 29 11:19:52 PRESC01 kibana[92260]: redirecting to  /login

The WebUI briefly show this:

  JSON.parse: unexpected character at line 1 column 1 of the JSON data

Any ideas why the SIEM tab does not work?..

christophilus · October 29, 2019, 4:10pm

I've pinged the SIEM team, but you may want to drop this in their channel here: https://discuss.elastic.co/c/siem

Frank_Hassanabad · October 29, 2019, 11:07pm

Hi,

First of all, THANK YOU for the stack trace! Much appreciated!

What is the exact URL if you have it when this occurs? I'm guessing it is the normal SIEM URL but just want to be sure to check that off our list of trouble shooting. Sometimes a minor difference such as http vs https could trigger an unknown.

Which user and roles/spaces is your user using as this could be a privileges issues potentially that occurred during the upgrade?

I spent some time on a 7.3.2 cloud instance I spun up to see if I could re-produce it with spaces and roles but so far cannot. However, a "skipped upgrade" path from as far back as 6.x might have a couple of side effects along the way we don't know about just yet with the SIEM application.

Any screenshots or text of the roles and users and spaces would be helpful as that would usually be the issue with something as odd as this.

Looking at the source code of where the stack is happening for this version:

github.com

elastic/kibana/blob/v7.3.2/src/legacy/server/http/index.js#L102


    return h.redirect(`${basePath}${defaultRoute}`);
  }
});


server.route({
  method: 'GET',
  path: '/{p*}',
  handler: function (req, h) {
    const path = req.path;
    if (path === '/' || path.charAt(path.length - 1) !== '/') {
      throw Boom.notFound();
    }


    const pathPrefix = req.getBasePath() ? `${req.getBasePath()}/` : '';
    return h
      .redirect(format({
        search: req.url.search,
        pathname: pathPrefix + path.slice(0, -1),
      }))
      .permanent(true);
  }

It looks to be whenever a route is not recognized which is making me think this is a possible spaces, roles, and/or permissions issue maybe where it is deactivating the routes for the SIEM application but for some reason still showing the button.

Kerwood · November 4, 2019, 1:38pm

Hi, thanks for your time.
There are no roles as the security plugin is disabled. I am using ReadonlyREST for authentication. The issue persists on all workspaces.
The weird thing is that after pressing the SIEM link, you can actually see the SIEM page for about 3 seconds before you get redirected.

Do you think its a ReadonlyREST issue? I would have expected ReadonlyREST to give an error or something.

Frank_Hassanabad · November 4, 2019, 2:13pm

Ahhh. Is ReadonlyREST this product?

This is the first time I have heard of that product before. It sounds like that could be your issue. It could be happening from their end or the way that particular product is configured.

I am hesitant to give advice on a 3rd party product I am not familiar with, but I can say if you are using the chrome browser and you open your developer tools you can click the "preserve log" in the network tab similar to advice here:

And that might give you more insight with the redirects to determine if it is an issue with configuration from that product which is causing a redirect from the SIEM URL to a re-login or a missed bug on our side.

system · December 2, 2019, 2:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.