DSIEM support the use of ElasticSearch certificates? about dsiem HOT 9 CLOSED

Client certificate authentication should work transparently, i.e. if the browser can supply correct certificate and successfully authenticate when accessing https://elasticsearch:port, then dsiem UI should also be able to access the same location without issue.

So all you have to do is to put the correct Elasticsearch HTTPS address URL in esconfig.json.

from dsiem.

Thank you for your reply, this problem has been solved.
DSIEM project have a Slack channel? this will make communication easier.

from dsiem.

Not at this moment. But we'll reconsider that option if we start having too many unanswered questions on Github issues.

from dsiem.

thx!

from dsiem.

HI, DSEIM Team:
I used the latest DSEIM Version: 0.28.5.
Modified the esconfig.json, DSIEM WEB UI still cannot access ES.
{ "elasticsearch": "https://elastic:[email protected]:9200", "kibana": "https://192.168.199.97:5601" }

DSIEM WEB UI: Disconnected from ES https://192.168.199.97:9200: Error: No Living connections

my elasticsearch.yml

# X-Pack
xpack.security.enabled: true

# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: [ "/etc/elasticsearch/certs/ca/ca.crt" ]

# DSIEM Config
discovery.type: single-node
#cluster.routing.allocation.disk.threshold_enabled: false
#xpack.security.enabled: false
#xpack.monitoring.enabled: false
#xpack.ml.enabled: false
#xpack.graph.enabled: false
#xpack.watcher.enabled: false
http.cors.enabled: true
http.cors.allow-origin: "*"

I need your help. thx!

from dsiem.

Hi @Canon88, can you directly open https://elastic:[email protected]:9200 from another browser tab without issue? if you can see the ES banner there, then Dsiem UI should also work. If you can't see the ES banner, then there might be a non-Dsiem UI connection issue between your browser and ES.

from dsiem.

Hi, @mmta , I'm trying to open the browser https://192.168.199.97:9200:

from dsiem.

@Canon88, I finally get around to test a config similar to yours. Turns out there was an error in web UI to support basic auth and there's also an extra CORS config required in ES to support this.

So please try Dsiem latest version (v0.28.6 as of now), and put the following extra config in environment variables or elasticsearch.yml:

      - http.cors.enabled=true
      - http.cors.allow-credentials=true
      - http.cors.allow-origin=*
      - http.cors.allow-headers=Authorization,X-Requested-With,Content-Type,Content-Length

from dsiem.

@mmta The problem has been solved, thank you!

from dsiem.