Audit_transport_headers._system_index_access_allowed false

kam · July 3, 2023, 7:22pm

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.8.0

Describe the issue:

When trying create index from filebeat of 7.10.2 got Secure Log:


audit_category
INDEX_EVENT
	

audit_cluster_name
1c-logserver
	

audit_format_version
4
	

audit_node_host_address
192.168.168.63
	

audit_node_host_name
192.168.168.63
	

audit_node_id
hfOU5eAzR-SrnwGXiNaVuQ
	

audit_node_name
1c-logserver-ingest-02.some.dev
	

audit_request_effective_user
admin
	

audit_request_layer
TRANSPORT
	

audit_request_origin
REST
	

audit_request_privilege
indices:admin/template/put
	

audit_request_remote_address
192.168.165.142
	

audit_trace_indices
techlog-*
	

audit_trace_task_id
hfOU5eAzR-SrnwGXiNaVuQ:1630162
	

audit_transport_headers._system_index_access_allowed
false
	

audit_transport_request_type
PutIndexTemplateRequest

and index wasnt creating. User admin with all priveleged.

Configuration:

Relevant Logs or Screenshots:

pablo · July 3, 2023, 7:25pm

@kam Could you describe how your Filebeat connects to OpenSearch?
Do you use Logstash with Filebeat or it connects directly to OpenSearch?

What version of the Filebeat did you use? Was it OSS?

kam · July 4, 2023, 5:22am

Without Logstash, using filebeat Filebeat 7.10.2 | Elastic
OpenSearch is 2.8
Using Connect by haproxy balancing on 2 ingest nodes

output.elasticsearch:
  hosts: ["https://1c-logserver.some.dev:9200"]
  username: "admin"
  password: "1qew@4tg"
  pipeline: techlog
  index: "techlog-%{[fields.log_type]}-%{+yyyy.MM.dd}"
  ssl.verification_mode: none

Host in output is HaProxy balancer to 2 ingest nodes.
For test i put directly ingest for now:

output.elasticsearch:
  hosts: ["https://1c-logserver-ingest-01.some.dev:9200"]
  username: "admin"
  password: "1qew@4tg"
  pipeline: techlog
  index: "techlog-%{[fields.log_type]}-%{+yyyy.MM.dd}"
  ssl.verification_mode: none

Filebeat Log:

2023-07-04T12:24:06.310+0700	INFO	instance/beat.go:645	Home path: [C:\filebeat] Config path: [C:\filebeat] Data path: [C:\ProgramData\filebeat] Logs path: [C:\ProgramData\filebeat\logs]
2023-07-04T12:24:06.314+0700	INFO	instance/beat.go:653	Beat ID: 97fc33d1-4cb5-490e-a427-9062719a6a38
2023-07-04T12:24:06.314+0700	INFO	[beat]	instance/beat.go:981	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\filebeat", "data": "C:\\ProgramData\\filebeat", "home": "C:\\filebeat", "logs": "C:\\ProgramData\\filebeat\\logs"}, "type": "filebeat", "uuid": "97fc33d1-4cb5-490e-a427-9062719a6a38"}}}
2023-07-04T12:24:06.314+0700	INFO	[beat]	instance/beat.go:990	Build info	{"system_info": {"build": {"commit": "aacf9ecd9c494aa0908f61fbca82c906b16562a8", "libbeat": "7.10.2", "time": "2021-01-12T22:12:21.000Z", "version": "7.10.2"}}}
2023-07-04T12:24:06.315+0700	INFO	[beat]	instance/beat.go:993	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"386","max_procs":2,"version":"go1.14.12"}}}
2023-07-04T12:24:06.317+0700	INFO	[beat]	instance/beat.go:997	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2023-06-06T11:50:03.77+07:00","name":"1c-subs","ip":["192.168.166.181/24","::1/128","127.0.0.1/8"],"kernel_version":"6.3.9600.18202 (winblue_ltsb.160119-0600)","mac":["00:50:56:99:05:9f"],"os":{"family":"windows","platform":"windows","name":"Windows Server 2012 R2 Standard","version":"6.3","major":3,"minor":0,"patch":0,"build":"9600.0"},"timezone":"+07","timezone_offset_sec":25200,"id":"ec0b172c-27ec-441b-946e-2215647984c0"}}}
2023-07-04T12:24:06.318+0700	INFO	[beat]	instance/beat.go:1026	Process info	{"system_info": {"process": {"cwd": "C:\\Windows\\system32", "exe": "C:\\filebeat\\filebeat.exe", "name": "filebeat.exe", "pid": 14828, "ppid": 540, "start_time": "2023-07-04T12:24:06.247+0700"}}}
2023-07-04T12:24:06.318+0700	INFO	instance/beat.go:299	Setup Beat: filebeat; Version: 7.10.2
2023-07-04T12:24:06.318+0700	INFO	eslegclient/connection.go:99	elasticsearch url: https://1c-logserver-ingest-01.some.dev:9200
2023-07-04T12:24:06.318+0700	WARN	[tls]	tlscommon/tls_config.go:93	SSL/TLS verifications disabled.
2023-07-04T12:24:06.318+0700	INFO	[publisher]	pipeline/module.go:113	Beat name: 1c-subs
2023-07-04T12:24:06.319+0700	INFO	instance/beat.go:455	filebeat start running.
2023-07-04T12:24:06.319+0700	INFO	[monitoring]	log/log.go:118	Starting metrics logging every 30s
2023-07-04T12:24:06.321+0700	INFO	memlog/store.go:119	Loading data file of 'C:\ProgramData\filebeat\registry\filebeat' succeeded. Active transaction id=0
2023-07-04T12:24:06.321+0700	INFO	memlog/store.go:124	Finished loading transaction log file for 'C:\ProgramData\filebeat\registry\filebeat'. Active transaction id=0
2023-07-04T12:24:06.322+0700	INFO	[registrar]	registrar/registrar.go:109	States Loaded from registrar: 0
2023-07-04T12:24:06.322+0700	INFO	[crawler]	beater/crawler.go:71	Loading Inputs: 0
2023-07-04T12:24:06.322+0700	INFO	[crawler]	beater/crawler.go:108	Loading and starting Inputs completed. Enabled inputs: 0
2023-07-04T12:24:06.322+0700	INFO	cfgfile/reload.go:164	Config reloader started

For OpenSearch 2.8 need FileBeat OSS latest Download Filebeat - OSS • Lightweight Log Analysis | Elastic?

pablo · July 4, 2023, 11:05pm

@kam Please check OpenSearch documentation.