Closed n4ll3ec closed 5 years ago
Hello @fl4nker ,
The problem you are facing comes from X-Pack security roles. The message [indices:data/read/search] is unauthorized for user [kibana]
means the user kibana
is having troubles for fetching .wazuh
index, that index is a Wazuh app index.
At this point you have two solutions:
1) Use the elastic
user instead of the kibana
user when login the UI, and use it in your kibana.yml
file too.
2) Follow our X-Pack guide to fully configure each role https://documentation.wazuh.com/current/user-manual/kibana-app/configure-xpack/index.html
I hope it helps. Best regards, Jesús
thanks for your help! @jesusgn90 As mentioned in my post, I use the elastic user in my kibana configuration file and also use it login the Kibana UI, it doesn't work. I'll try the second solution, thanks again
Hi @fl4nker ,
The second solution is the right way, in any case, is unauthorized for user [kibana]
is telling you that you are using the user kibana
when login the UI, give a try to use elastic
user because it's the admin user so it must work.
Let us know @fl4nker !
Best regards, Jesús
thanks again! @jesusgn90
But I'm so sorry to say, that solution2 also failed. I'm so confused !! I go through all steps that you mentioned in solution2 (wazuh-configure-xpack), but it just failed, no matter I use the elastic user or the new created wazuh_system user.
Let me give you some screenshot here:
Hello again @fl4nker ,
That's pretty weird because we've tested it again a week ago. In any case, it seems like you are still using kibana
as the UI user ([indices:data/read/search] is unauthorized for user [kibana]
).
Let's use the elastic
user for both UI and server. Please take a look into your /etc/kibana/kibana.yml and ensure you are using elastic
as the server user:
elasticsearch.username: "elastic"
elasticsearch.password: "elastic_pass"
If you modified the file, please restart Kibana:
# systemctl restart kibana
Now please open a new incognito window in your browser (it works better with Chrome) and login the Kibana UI using the user elastic
(same as the kibana.yml user).
This must works because the elastic
user is superadmin in Elasticsearch.
Once you are done using the elastic
user we can continue creating more users and roles, for now, my goal is to make it work using only the elastic
user.
Best regards, Jesús
@jesusgn90 I'm definitely using the elastic user in my Kibana configuration and Kibana UI. And everytime I modified the kibana configuration, I restarted the Kibana. Please reference my screenshot Kibana Config Kibana UI
It's so weird, and I'm sooo confused. Never mind, I'd like to give it up,and try another installtion from scratch.
Hi @fl4nker ,
The Kibana config looks good to me, but the Kibana UI, it would be nice if you paste a screenshot from the left menu bar (at the left bottom corner), for example:
That's the user who logged in the Kibana UI.
Regards, Jesús
@jesusgn90 sorry, paste wrong picture!
There is still something wrong, the user elastic
is the admin user. Please, can we try to open a new incognito window on your browser and login as elastic
one more time? (https://support.mozilla.org/en-US/kb/private-browsing-use-firefox-without-history, https://www.lifewire.com/incognito-mode-google-chrome-4103635)
Regards
still not working.it's soooo weird,I'll try another way thanks for your help @jesusgn90
That's pretty weird @fl4nker , let's see Management > Users and Management > Roles, please.
Regards
@jesusgn90 I installed Wazuh on another ELK Stack from scratch, ELK6.4.1 without X-Pack security enabled, it works fine. Here, I'll help the community debug the previous issue.
Hello,
I have the same issue but i can't disable Xpack , anyone know to resolve it? In kibana.yml => I use "elastic" user In kibana UI => Logged with same "elastic" user
Error message : {"message":"2001 - [security_exception] action [indices:data/read/search] is unauthorized for user [kibana]","code":2001,"statusCode":500}
Thanks for your help
Hi @mathieu83470 ,
That's weird because the log is saying for user [kibana]
, are you sure Kibana is using elastic
user both sides (UI and server)?
Can you show us the kibana.yml
content? (replace your password with "****")
Which version is your app? (Wazuh version + Kibana version)
Regards
Hi, I installed Wazuh manager and api on an existing ELK Stack(Wazuh3.6.1 & ELK6.3.2 ). But when I try to open the Wazuh app in Kibana, the following errors occured:
I tried this solution—issue382, but it didn't work for me.Can you help me out ? Any solution will be appreciated.Below here is my config that related
Kibana Configiration
Wazuh-API
Wazuh-Manager
Elasticsearch
wazuh-kibana-app
Browser Error
https://10.28.100.110:5601/api/wazuh-api/apiEntries
https://10.28.100.110:5601/api/wazuh-elastic/setup