Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

elastalert and search guard #605

Open
LazyerHong opened this issue Jun 29, 2016 · 4 comments
Open

elastalert and search guard #605

LazyerHong opened this issue Jun 29, 2016 · 4 comments

Comments

@LazyerHong
Copy link

In the elasticsearh, i had installed the search guard which realized the access control of the elasticsearch. Now I want to make use of the elastalert for the alert.
Is the elastalert compatible with the search guard?
I think it is wonderful that elasticsearch run well with the elastalert and the search guard!
Thanks!
@Qmando
Copy link
Member

Qmando commented Jun 29, 2016

ElastAlert supports HTTPS and basic auth (username + password). I'm not sure if that's all that's necessary to use it with search guard, as I've never used search guard. I would like to hear from someone if that does work or not.

@LazyerHong
Copy link
Author

How do you solve the problem of access control in the elasticsearch as you are not using the search guard? Is there good way?

@rudijs
Copy link

rudijs commented Jul 6, 2016
edited

@Qmando I've been working on and off for a few weeks on Elastalert to Elasticsearch w/ Search Guard installed.

No joy as yet - but getting very close.

I've forked this repo and have been trying with minor edits to create_index.py and elastalert.py.

For example:

    es = Elasticsearch(
        host=host,
        port=port,
        use_ssl=use_ssl,
        connection_class=RequestsHttpConnection,
        http_auth=http_auth,
        url_prefix=url_prefix,
        send_get_body_as=send_get_body_as,
        # ca_certs='/opt/secrets/ea.ca',
        # verify_certs=True,
        client_cert='/opt/secrets/ea.crt',
        client_key='/opt/secrets/ea.key',
        ssl_version='TLSv1',
        )

Using both GET and POST I'm stuck with 400 (bad request) responses from index queries:

WARNING:elasticsearch:GET https://172.30.151.164:9200/api-qa*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&size=10000 [status:400 request:0.033s]

Extended error output:

WARNING:elasticsearch:POST https://172.30.151.164:9200/api-qa*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&size=10000 [status:400 request:0.042s]
ERROR:root:Traceback (most recent call last):
  File "/opt/elastalert/elastalert/elastalert.py", line 761, in run_all_rules
    num_matches = self.run_rule(rule, endtime, self.starttime)
  File "/opt/elastalert/elastalert/elastalert.py", line 554, in run_rule
    if not self.run_query(rule, rule['starttime'], endtime):
  File "/opt/elastalert/elastalert/elastalert.py", line 434, in run_query
    data = self.get_hits(rule, start, end, index)
  File "/opt/elastalert/elastalert/elastalert.py", line 316, in get_hits
    if len(str(e)) > 1024:
  File "build/bdist.linux-x86_64/egg/elasticsearch/exceptions.py", line 55, in __str__
    cause = ', %r' % self.info['error']['root_cause'][0]['reason']
TypeError: string indices must be integers

The strange thing is GET or POST to the URL above works fine from the command line.

curl -k --key /opt/secrets/ea.key --cert /opt/secrets/ea.crt https://172.30.151.164:9200/api-qa*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&size=10000

So kinda stuck at this time, any tips or guidance would be appreciated.

@floragunn
Copy link

Get python working with Search Guard

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@rudijs @LazyerHong @Qmando @floragunn