One day, the dashboards and graphs were using disappeared

One day, I changed the value of 'xpack.security.enabled' from 'true' to 'false' in my Kibana+Elasticsearch environment. I had no problems using it after that, but when I logged into Kibana a few days later, all my dashboards, graphs, theme settings, etc. were gone. (However, the index information was still there.) I'm wondering why this happened.

Question 1.

Is it possible that changing the value of 'xpack.security.enabled' in 'elasticsearch.yml' caused the dashboard, graphs, theme settings, etc. in Kibana to disappear or change to default values?

Question 2.

If so, is there any way to get the missing dashboards, graphs, theme settings back?

I have researched in various ways, but the thing that bothers me is that I was using the license as a trial, and I wonder if this is why the graphs, etc. were forcibly deleted when I deactivated the xpack.

Any help would be greatly appreciated.

"version" : {
"number" : "7.17.5",

Is your Elasticsearch/Kibana exposed on the public internet in some way?

The xpack.security.enabled does a couple of things underwater I believe if you don't specify it specifically in the config.

One of these things is encryption of saved objects (dashboards & viz).
I am assuming you didn't specify the key in the kibana.yml which means it was managed/auto generated.

If you re-enable the authentication. Do you see everything again?

I also had that expectation, I reactivated it, but at first I couldn't reactivate xpack due to lincene issues, but after a few settings and twists I reactivated it and logged in, but it wasn't restored.

yes.

If your Elasticsearch cluster is exposed to the public internet and you disabled the authentication, the probably cause is that someone else accessed your cluster and deleted some data.

Check your Elasticsearch logs to see if it has any information about indices being deleted.

I also thought about that and looked at it, but I couldn't really tell from the log, and it just felt like something was reset, not a messy erase mark. And the data and so on were left intact.

If you look at stack management, saved objects and it is (nearly) empty. It is a safe bet someone accessed your deployment and deleted them.

This would have been in de audit logs of kibana if you had those enabled.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.