Strange indexes


(IT2) #1

Hi there!
I have an ES Cluster. And everyday strange indexes are creating. It looks like

In logs I see next

root@logstashm:~# cat /var/log/elasticsearch/cloud.log | grep awgasv1.html
[2015-09-29 08:13:36,632][DEBUG][action.search.type       ] [master] [awgasv1.html][0], node[NC2z-jpoSh6uGbllA4fGcQ], [R], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][0]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,634][DEBUG][action.search.type       ] [master] [awgasv1.html][3], node[U0CUUzB8SwKlfzatrCsdFg], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,636][DEBUG][action.search.type       ] [master] [awgasv1.html][1], node[N9Z7j6TbQjaSdIkBIHoSgw], [R], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][1]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,643][DEBUG][action.search.type       ] [master] [awgasv1.html][2], node[mHZaE0aCSQ2lOLzV0AEn-w], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][2]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{
[2015-09-29 08:13:36,646][DEBUG][action.search.type       ] [master] [awgasv1.html][4], node[N9Z7j6TbQjaSdIkBIHoSgw], [P], s[STARTED]: Failed to execute [org.elasticsearch.action.search.SearchRequest@10555f9c] lastShard [true]
Caused by: org.elasticsearch.search.SearchParseException: [awgasv1.html][4]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{

Give me please some advice.


Strange indices
(Magnus Bäck) #2

Is your ES instance open to the internet? It looks like someone is trying to exploit vulnerabilities in other programs.


(IT2) #3

What do you mean, world wide internet?
This cluster in my LAN and used only in my network.


(Mark Walkom) #4

Someone is making requests to your cluster that ends up with these being created.
You can disable auto creation of indices if you want - action.auto_create_index: false in elasticsearch.yml.


(IT2) #5

I need an auto create of logstash index everyday,
this option will disable it?


(Mark Walkom) #6

No because you are leveraging a template for Logstash.


(IT2) #7

Thanks, I will try!


(IT2) #8

I didnt have any time to set up this option yesterday, and today in logs i see

[2015-09-30 08:14:24,651][INFO ][cluster.metadata         ] [master] [perl] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:14:31,222][INFO ][cluster.metadata         ] [master] [spipe] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:14:41,712][INFO ][cluster.metadata         ] [master] [webui] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [apps]
[2015-09-30 08:15:04,150][INFO ][cluster.metadata         ] [master] [flex2gateway] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [http]
[2015-09-30 08:15:05,062][INFO ][cluster.metadata         ] [master] [messagebroker] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [http]
[2015-09-30 08:15:05,720][INFO ][cluster.metadata         ] [master] [blazeds] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [messagebroker]
[2015-09-30 08:15:06,719][INFO ][cluster.metadata         ] [master] [lcds] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [messagebroker]
[2015-09-30 08:15:07,206][INFO ][cluster.metadata         ] [master] [asvnpo1.html] creating index, cause [api], templates [], shards [5]/[1], mappings []
[2015-09-30 08:15:08,015][INFO ][cluster.metadata         ] [master] [phppath] creating index, cause [auto(index api)], templates [], shards [5]/[1], mappings [php]

so as i understand it creates by index api? how can I prevent it ?
Thanks


(David Pilato) #9

It sounds like to me that your injector is misconfigured or that a colleague is sending you some PUT requests.

Looks like you are creating an index instead of documents.

What is your elasticsearch logstash config?


(IT2) #10

elasticsearch.yml http://pastebin.com/3t29HKfv
logstash.conf http://pastebin.com/cRJqQHnV


(David Pilato) #11

So it's not logstash are logstash with this configuration will only write events to logstash-* indices. Definitely someone is sending over your network some PUT requests to your elasticsearch instance.


(IT2) #12

Thanks for explain.
Can I trace it somehow?


(David Pilato) #13

You can probably install Shield plugin and activate auditing.


(Levichen) #14

HI it2,

I also find these strange indexes in my ES cluster.
such as flex2gateway, spipe, arneav1.html etc..
And I find the reason!

Do you ever using vulnerability scanner such as Nessus to scan your ES cluster LAN?

I find these strange indexes and I delete these, after a while I check no these strange indexes in my ES cluster.
I scan the ES cluster via Nessus these strange indexes had created again!

So I think is Nessus do this.


(IT2) #15

Oh. I have Nessus in my LAN...
I will disable cluster from scanning!
THANKS!


(Satish) #16

Interesting thread. I also see exactly same name indices in my cluster. However I am not sure whether any scans are happening on it. Could be possible.
index
ngnrge1.html
lcds
ngpsvw1.html
perl
pvwvpp1.html
webui
spipe
messagebroker
blazeds
phppath
evrers1.html
flex2gateway


(IT2) #17

Answer is above - NESSUS
Chek your network for scaner activity.


(system) #18