Unable to login to Kibana

Mike_Kirby · February 26, 2024, 7:16pm

Good Afternoon.

I have been working with OpenShift and ElasticSIEM for 6 months now. For the first 5 I was learning the installation process and getting up to speed. I am able to install ElasticSIEM without containers, and get a logged in as well.

Where I am having issues at the moment now is, in my first installation of ElasticSIEM in a containered environment I can get to the Kibana login screen, which is great. I have not assigned any user or password, so I have tried using
elastic as the username and changeme as the password. This has not worked and it returns Incorrect username and/or password. So I have tried the login I used to connect to OpenShift and that also does not work.

When i review the Kibana logs, there is nothing in it that indicates any misconfiguration.

Is there a 1st time username and password that I am missing?

Thank you all for your assistance and help.

Mike_Kirby · February 28, 2024, 4:35pm

After a further investigation I believe the root of my problem stems from the following error when trying to open Elasticsearch in a web browser

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security"","ApiKey"]}},"status":401}

The configuration is a 3 node Elasticsearch cluster. I see no errors in the logs on the Node0 Elasticsearch of the cluster.

I have tried to pass the credentials using curl -X GET "http://localhost:9200" -u elastic:pass123 to no effect. I have tried to create a new user, and reset the credentials as per reset credentials

All to no avail. When I have setup an ELK stack in the past, with a solo Elasticsearch it was not an issue, this is my first cluster setup and I am in need of help.

Does anyone have any ideas on where I should look or what I should look for?

Thank you for your help, as always it is much appreciated.

Mike

TristanJ · February 28, 2024, 5:05pm

I am also having this same issue. Would be curious to see if anyone has a solution for us.

stephenb · February 28, 2024, 9:43pm

Hi @Mike_Kirby
and @TristanJ Welcome to the community.

One was actually installed at install time, assuming you enabled security

You can reset the elastic password with the

From one of the nodes that is up and running,,,.,

./bin/elasticsearch-reset-password -u elastic

Try that let us know what happens.

For both of you always include the version of the Elastic Stack and what your install method is and any other helpful information, the more you provide ... the more we can help.

What version are you on?

Did you create certificates etc manually or with the autosetup

Mike_Kirby · February 29, 2024, 4:03pm

Thank you for the reply Stephen:

I tried the reset password and it did not help me out. I will try again when I am back in front of the installation just to confirm.

For more information regarding the ElasticSIEM I am using.

8.11.4 for Elasticsearch, Kibana and Logstash.
It is installed as a 3 system cluster (ES0, ES1, ES2) and in an OpenShift Linux (Redhat) container. The certificates were setup automatically, I did not set them up.

Hope this helps with the configuration and answer.

As always your feedback is great.

Mike

stephenb · February 29, 2024, 4:55pm

After you have reset the password from the container, you reset the password. Can you curl directly to Elasticsearch and get a response?

From the container.

curl -k -v -u elastic https://localhost:9200

Also, what method did you use to install on Open shift?

How do you know that Elasticsearch is even running?

And when you say the certificates were set up automatically, what method did you use to install Elasticsearch on OpenShift?

Mike_Kirby · February 29, 2024, 5:52pm

Hello Stephen;

When I try to change the password for elastic, no matter which cluster device I try I receive the following error.

You asked how I know the elasticsearch cluster is running. Inside the OpenShift User Interface I see this, which indicates that the cluster is functioning.

In order to install the software I used the OpenShift Graphical Interface. I first downloaded the 8.11.4 version of Elasticsearch/Kibana/Logstash, to an internet connected system. Then created .tar files to transfer them to the environment I am working in.

Once I had access to the environment I am working in I tagged them, uploaded them into our quay.io site.

To Install on OpenShift I took the following steps:

In the OpenShift User Interface I created a project.
Selected Operators --> Installed Operators
Clicked on Elasticsearch Clusters
Created Elasticsearch Cluster
Named the Cluster elasticsiem
a. Set the Version as 8.11.4
b. set revision history to 2
c. image --> copied the elasticsearch tag from our quay.io repository
Saved the settings and it then created the Elasticsearch cluster.

stephenb · February 29, 2024, 6:03pm

There is so much to unpack here which I can't do right this moment.

I suspect you don't actually have a cluster running. You actually probably have three separate nodes running as three separate clusters. I might be wrong... But unless you knew how to configure the discovery etc, I don't think it's really working the way you think.

What configuration changes did you make for the elasticsearch.yml file for all those notes?

Can you please run the curl command I gave you? It's okay if it does not even log in. I want to see what all the certs and everything set.

Show the command in the full results

stephenb · February 29, 2024, 6:06pm

I recommended approach to installing on OpenShift is this?

Mike_Kirby · February 29, 2024, 6:27pm

Here is the result of running the curl command

curl -k -v -u elastic https://localhost:9200
Enter host password for user 'elastic':
*   Trying ::1:9200...
* TCP_NODELAY set
* Connected to localhost (::1) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=elasticsearch; CN=elasticsearch-es-http.elasticsiem.es.local
*  start date: Feb 21 18:45:47 2024 GMT
*  expire date: Feb 20 18:55:47 2025 GMT
*  issuer: OU=elasticsearch; CN=elasticsearch-http
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Host: localhost:9200
> Authorization: Basic ZWxhc3RpYzpjaGFuZ2VtZQ==
> User-Agent: curl/7.68.0
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
* Authentication problem. Ignoring this.
< WWW-Authenticate: Basic realm="security" charset="UTF-8"
< WWW-Authenticate: Bearer realm="security"
< WWW-Authenticate: ApiKey
< content-type: application/json
< content-length: 465
< 
* Connection #0 to host localhost left intact
{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}

Mike_Kirby · February 29, 2024, 7:23pm

Stephen;

When following the deployment in the document you referenced above "Deploy ECK on OpenShift. It indicates the route as Route.openshift.io/v1, in my environment, should I enter the url of my OpenShift installation. As an example.

apiVersion: route.openshift.myurl.ca/v1
kind: Route
metadata:
  name: elasticsearch-sample
spec:

stephenb · February 29, 2024, 9:10pm

Apologies I am not OpenShift expert... If that makes sense try it.

TristanJ · February 29, 2024, 9:25pm

Hi Stephen,

I am by far not an expert in any of this.

When I run the Curl command, I get a "Enter host password for user 'elastic' :" Response, I tried the "changeme" as thats what im seeing online as the default password. But then got this returned.

* Connected to localhost (127.0.0.1) port 9200 (#0)

* ALPN, offering h2

* ALPN, offering http/1.1

* TLSv1.0 (OUT), TLS header, Certificate Status (22):

* TLSv1.3 (OUT), TLS handshake, Client hello (1):

* TLSv1.2 (IN), TLS header, Certificate Status (22):

* TLSv1.3 (IN), TLS handshake, Server hello (2):

* TLSv1.2 (IN), TLS header, Finished (20):

* TLSv1.2 (IN), TLS header, Supplemental data (23):

* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):

* TLSv1.3 (IN), TLS handshake, Certificate (11):

* TLSv1.3 (IN), TLS handshake, CERT verify (15):

* TLSv1.3 (IN), TLS handshake, Finished (20):

* TLSv1.2 (OUT), TLS header, Finished (20):

* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):

* TLSv1.2 (OUT), TLS header, Supplemental data (23):

* TLSv1.3 (OUT), TLS handshake, Finished (20):

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

* ALPN, server did not agree to a protocol

* Server certificate:

* subject: CN=256-BUR-LVM

* start date: Feb 21 16:25:16 2024 GMT

* expire date: Feb 20 16:25:16 2026 GMT

* issuer: CN=Elasticsearch security auto-configuration HTTP CA

* SSL certificate verify result: self-signed certificate in certificate chain (19), continuing anyway.

* Server auth using Basic with user 'elastic'

* TLSv1.2 (OUT), TLS header, Supplemental data (23):

> GET / HTTP/1.1

> Host: localhost:9200

> Authorization: Basic ZWxhc3RpYzpwYXNz

> User-Agent: curl/7.81.0

> Accept: */*

>

* TLSv1.2 (IN), TLS header, Supplemental data (23):

* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):

* TLSv1.2 (IN), TLS header, Supplemental data (23):

* Mark bundle as not supporting multiuse

< HTTP/1.1 401 Unauthorized

* Authentication problem. Ignoring this.

< WWW-Authenticate: Basic realm="security" charset="UTF-8"

< WWW-Authenticate: Bearer realm="security"

< WWW-Authenticate: ApiKey

< content-type: application/json

< content-length: 465

<

* Connection #0 to host localhost left intact

{"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"unable to authenticate user [elastic] for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}

tristan@2tristan@256-BUR-LVM:~/Downloadtristatrist

stephenb · February 29, 2024, 10:32pm

No that is not correct not sure where you got that from... but the good part it looks like it connected and tried to authenticate.

The expectation is that you would have a working knowledge of your environment; I understand that deploying Elasticsearch on OpenShift is not the easiest to do, so unfortunately, it may be a bit harder.

You need to go and look at the instructions here for getting the password

You will need to replace quickstart-es-http with your service name.

kubectl get service quickstart-es-http

Get the credentials.A default user named elastic is automatically created with the password stored in a Kubernetes secret:

PASSWORD=$(kubectl get secret quickstart-es-elastic-user -o go-template='{{.data.elastic | base64decode}}')

Request the Elasticsearch endpoint.From inside the Kubernetes cluster:

curl -u "elastic:$PASSWORD" -k "https://quickstart-es-http:9200"

You should reference other parts of the documentation, specifically the quick start that should help guide you but you will need to translate to open shift.

also please always show the command you run AND the output... to format the command / output you do that by putting 3 backticks before and after the code ou

Plus you did not share your ECK code so I do not have any idea what you actually deployed.

I will be busy for a day or two will check back....

If you are not an Openshift expert perhaps you should just try the docker installation here...

TristanJ · March 1, 2024, 1:59pm

Hi Stephen,

Sorry I should have been more specific. I am indeed running in a docker container on Ubuntu.

Sorry for the confusion.

When I said I was having the same issue as Mike, I more meant this password issue. I should have specified.

system · March 29, 2024, 1:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.