Upgrade from 6.x to 7.3.2. Everything works except the SIEM tab. When ever I go to the SIEM tab, I get logged out and redirected to the login page. I'm not using and proxy in front, so thats not the problem.
Elasticsearch/Kibana version: 7.3.2
The logs output this error.
Oct 29 11:19:52 PRESC01 kibana[92260]: { Error: Not Found
Oct 29 11:19:52 PRESC01 kibana[92260]: at handler (/usr/share/kibana/src/legacy/server/http/index.js:113:29)
Oct 29 11:19:52 PRESC01 kibana[92260]: at module.exports.internals.Manager.execute (/usr/share/kibana/node_modules/hapi/lib/toolkit.js:35:106)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Object.internals.handler (/usr/share/kibana/node_modules/hapi/lib/handler.js:50:48)
Oct 29 11:19:52 PRESC01 kibana[92260]: at exports.execute (/usr/share/kibana/node_modules/hapi/lib/handler.js:35:36)
Oct 29 11:19:52 PRESC01 kibana[92260]: at Request._lifecycle (/usr/share/kibana/node_modules/hapi/lib/request.js:263:62)
Oct 29 11:19:52 PRESC01 kibana[92260]: data: null,
Oct 29 11:19:52 PRESC01 kibana[92260]: isBoom: true,
Oct 29 11:19:52 PRESC01 kibana[92260]: isServer: false,
Oct 29 11:19:52 PRESC01 kibana[92260]: output:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404,
Oct 29 11:19:52 PRESC01 kibana[92260]: payload:
Oct 29 11:19:52 PRESC01 kibana[92260]: { statusCode: 404, error: 'Not Found', message: 'Not Found' },
Oct 29 11:19:52 PRESC01 kibana[92260]: headers:
Oct 29 11:19:52 PRESC01 kibana[92260]: { 'kbn-name': 'kibana',
Oct 29 11:19:52 PRESC01 kibana[92260]: 'kbn-xpack-sig': '37fa0a487b714a7c397e35e10c1b1322' } },
Oct 29 11:19:52 PRESC01 kibana[92260]: reformat: [Function],
Oct 29 11:19:52 PRESC01 kibana[92260]: message: 'Not Found',
Oct 29 11:19:52 PRESC01 kibana[92260]: typeof: [Function: notFound] }
Oct 29 11:19:52 PRESC01 kibana[92260]: redirecting to /login
The WebUI briefly show this:
JSON.parse: unexpected character at line 1 column 1 of the JSON data
First of all, THANK YOU for the stack trace! Much appreciated!
What is the exact URL if you have it when this occurs? I'm guessing it is the normal SIEM URL but just want to be sure to check that off our list of trouble shooting. Sometimes a minor difference such as http vs https could trigger an unknown.
Which user and roles/spaces is your user using as this could be a privileges issues potentially that occurred during the upgrade?
I spent some time on a 7.3.2 cloud instance I spun up to see if I could re-produce it with spaces and roles but so far cannot. However, a "skipped upgrade" path from as far back as 6.x might have a couple of side effects along the way we don't know about just yet with the SIEM application.
Any screenshots or text of the roles and users and spaces would be helpful as that would usually be the issue with something as odd as this.
Looking at the source code of where the stack is happening for this version:
It looks to be whenever a route is not recognized which is making me think this is a possible spaces, roles, and/or permissions issue maybe where it is deactivating the routes for the SIEM application but for some reason still showing the button.
Hi, thanks for your time.
There are no roles as the security plugin is disabled. I am using ReadonlyREST for authentication. The issue persists on all workspaces.
The weird thing is that after pressing the SIEM link, you can actually see the SIEM page for about 3 seconds before you get redirected.
Do you think its a ReadonlyREST issue? I would have expected ReadonlyREST to give an error or something.
This is the first time I have heard of that product before. It sounds like that could be your issue. It could be happening from their end or the way that particular product is configured.
I am hesitant to give advice on a 3rd party product I am not familiar with, but I can say if you are using the chrome browser and you open your developer tools you can click the "preserve log" in the network tab similar to advice here:
And that might give you more insight with the redirects to determine if it is an issue with configuration from that product which is causing a redirect from the SIEM URL to a re-login or a missed bug on our side.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.