SENTINL Troubleshooting
This page offers some common problem-solution pairs, dedicated to both new and existing users.
W.I.P - Make sure you also check the SENTINL FAQ
Error after Kibana upgrade
Remove Kibana Webpack bundles and restart Kibana.
rm -rf kibana/optimize/bundles/*
Probably you have some old code build there which causes the error. The bundles will be generated again when you start Kibana.
Debug Sentinl
Please ensure you have the following options in kibana.yml:
# Enables you specify a file where Kibi stores log output.
logging.dest: stdout
# Set the value of this setting to true to suppress all logging output.
logging.silent: false
# Set the value of this setting to true to suppress all logging output other than error messages.
logging.quiet: false
# Set the value of this setting to true to log all events, including system usage information
# and all requests.
logging.verbose: true
For example, correct stdout (from Kibana start till watcher execution) is Kibana-5.5.2---Sentinl-example-stdout-log
Notice, all messages which have Sentinl
in its status are messages related to Sentinl.
No alert emails
Basic config, kibana.yml:
logging.verbose: true
sentinl:
settings:
email:
active: true
host: beast-cave
ssl: false
report:
active: true
tmp_path: /tmp/
Check your server using some email client, for example mailx
:
mailx -S smtp=<smtp-server-address> -r <from-address> -s <subject> -v <to-address> < body.txt
Security exception while using Search Guard
For example, this message
p-f45016r31z8-yok6hzhmmii: [security_exception] no permissions for indices:data/read/search :: {\"path\":\"/logstash-2017.09.22/_search\" ,\"query\":{},\"body\":\"{}\",\"statusCode\":403,\"response\":\"{\\\"error\\\":{\\\"root_cause\\\":[{\\\"type\\\":\\\"security_exception\ \\",\\\"reason\\\":\\\"no permissions for indices:data/read/search\\\"}],\\\"type\\\":\\\"security_exception\\\",\\\"reason\\\":\\\"no pe rmissions for indices:data/read/search\\\"},\\\"status\\\":403}\"}"}
It says Sentinl can't read indices:data/read/search
the logstash-2017.09.22
index.
Ensure you have the following role for logstash-*
indices in sg_roles.yml
:
# For the kibana server
sg_kibana_server:
indices:
'logstash-*':
'*':
- indices:data/read/search
Don't forget to apply Search Guard configuration change using sgadmin.sh
.