What dose "realm_authentication_failed" really mean?

ITzhangqiang · August 18, 2022, 3:18am

In auditlog,I saw the log below, what dose "realm_authentication_failed" really mean, this query was normal，why "realm_authentication_failed"?

{
    "type":"audit",
    "timestamp":"2022-08-18T02:35:15,041+0000",
    "node.id":"xxxxxxxx",
    "event.type":"rest",
    "event.action":"realm_authentication_failed",
    "user.name":"xxxxxxx",
    "origin.type":"rest",
    "origin.address":"xxxxxxx",
    "realm":"reserved",
    "url.path":"/indexAAA/_search",
    "url.query":"typed_keys=true&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true",
    "request.method":"POST",
    "request.body":"{\"from\":10,\"size\":10,\"query\":{\"bool\":{\"must\":[{\"term\":{\"logname\":{\"value\":\"xxxxxx\",\"boost\":1.0}}},{\"range\":{\"logtime-UTC\":{\"from\":\"2022-08-11 00:00:00\",\"to\":\"2022-08-18 10:34:56\",\"include_lower\":true,\"include_upper\":true,\"time_zone\":\"Asia/Shanghai\",\"format\":\"yyyy-MM-dd HH:mm:ss\",\"boost\":1.0}}},{\"bool\":{\"should\":[{\"term\":{\"serverid\":{\"value\":\"xxxx\",\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},{\"match\":{\"userid\":{\"query\":\"xxxxxxx\",\"operator\":\"OR\",\"prefix_length\":0,\"max_expansions\":50,\"fuzzy_transpositions\":true,\"lenient\":false,\"zero_terms_query\":\"NONE\",\"auto_generate_synonyms_phrase_query\":true,\"boost\":1.0}}},{\"match\":{\"roleid\":{\"query\":\"xxxxxx\",\"operator\":\"OR\",\"prefix_length\":0,\"max_expansions\":50,\"fuzzy_transpositions\":true,\"lenient\":false,\"zero_terms_query\":\"NONE\",\"auto_generate_synonyms_phrase_query\":true,\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"sort\":[{\"logtime\":{\"order\":\"asc\"}}],\"track_total_hits\":2147483647}",
    "request.id":"xxxxxxx"
}

Yang_Wang · August 18, 2022, 3:55am

realm_authentication_failed is not enabled by default in audit logs. It is logged if a realm’s attempt to authenticate a user, but is not successful. This may not be a problem at all because another realm may later successfully authenticate the user.

ITzhangqiang · August 18, 2022, 6:00am

I'm pretty sure there's nothing wrong with the username and password,so what caused this " realm_authentication_failed"

TimV · August 18, 2022, 7:20am

It almost certainly means that the user (which you've masked out from your log) doesn't exist in the reserved realm. Therefore the reserved realm failed to authenticate the user.

As @Yang_Wang said:

This may not be a problem at all because another realm may later successfully authenticate the user.

ITzhangqiang · August 18, 2022, 7:41am

Why verify that a user exists in the reserved realm？Or what is the point of this log

ITzhangqiang · August 18, 2022, 7:53am

Thanks for your reply，I have another problem，what dose "anonymous_access_denied" really mean?
In the auditlog, I saw the log below. But the query executes successfully,why dose "anonymous_access_denied" recorded in logs?

{
    "type":"audit",
    "timestamp":"2022-08-18T07:30:41,843+0000",
    "node.id":"xxxxxxxxx",
    "event.type":"rest",
    "event.action":"anonymous_access_denied",
    "origin.type":"rest",
    "origin.address":"xxxxxxxx",
    "url.path":"/idnexBBBB/_search",
    "url.query":"pre_filter_shard_size=128&typed_keys=true&max_concurrent_shard_requests=5&ignore_unavailable=false&expand_wildcards=open&allow_no_indices=true&ignore_throttled=true&scroll=1m&search_type=query_then_fetch&batched_reduce_size=512&ccs_minimize_roundtrips=true",
    "request.method":"POST",
    "request.body":"{\"size\":10000,\"query\":{\"bool\":{\"must\":[{\"term\":{\"jobid\":{\"value\":xxxxxx,\"boost\":1.0}}},{\"range\":{\"logtime\":{\"from\":\"2022-08-18 14:30:43\",\"to\":\"2022-08-19 14:30:43\",\"include_lower\":true,\"include_upper\":true,\"time_zone\":\"+08:00\",\"format\":\"yyyy-MM-dd HH:mm:ss\",\"boost\":1.0}}}],\"adjust_pure_negative\":true,\"boost\":1.0}},\"sort\":[{\"logtime\":{\"order\":\"asc\"}},{\"linenum\":{\"order\":\"asc\"}}]}",
    "request.id":"xxxxxxxxxx"
}

ITzhangqiang · August 18, 2022, 7:59am

It is described as follows in official documents：
anonymous_access_denied：
"Logged when a request is denied due to missing authentication credentials.",However, the query in the log above was successfully executed and authenticated，so I'm confused.

Topic		Replies	Views
Security audit index shows tons of fake failed authentications/min (5.1.1) - SOLVED Elasticsearch	3	1355	March 6, 2017
User name and realm information in audit logs (user.name user.realm authentication_success user.run_by.name) Elasticsearch elastic-stack-security	1	503	March 15, 2019
Trace source of authentication failures from logs Elasticsearch	2	185	June 7, 2023
Authentication of [elastic] was terminated by realm [reserved] Elasticsearch docker	1	639	December 21, 2022
Authentication to realm default native failed - Password authentication failed for xyz Elasticsearch elastic-stack-security	3	1104	May 31, 2021

What dose "realm_authentication_failed" really mean?

Related topics