Elasticsearch Plugin

Cannot get this plugin to connect. I used the elasticsearch URL + creds , ( verified this works if browsed to it ) and it just errors out on test

py3.6.egg/komand_elasticsearch/actions/cluster_health/action.py", line 28, in test
    r = helpers.test_auth(self.logger, host, username, password)
  File "/usr/local/lib/python3.6/site-packages/elasticsearch_rapid7_plugin-2.0.5-py3.6.egg/komand_elasticsearch/util/helpers.py", line 27, in test_auth
    raise Exception("Call failed: unknown error")
Exception: Call failed: unknown error

Hey @Brian_rapid7, sorry about the error you’re encountering. We definitely need to improve the error handling on this integration as what it’s returning is not useful at all. We’ll take a look at that. In the meantime, I have a few questions:

  1. Are you providing a full URL in the connection input with https:// or http:// and port, if not using the defaults for https (443) or http (80) e.g. https://example.com:1234?
  2. Is that URL accessible from the orchestrator? Can you curl it with a successul response if logged into the orchestrator?
  3. What authentication type is configured on your ES system?

Yes I can curl using https://hostnam:9200 frome the orchaestrator

curl -XGET “https://hostname:9200/_cluster/health” -u username -p --insecure

I know its not elasticsearch because we have it configured on our previous SOAR , and it works

Thanks @Brian_rapid7, we have a ticket created and assigned to engineering. I will update you when we release a fix.

Outside of this defect, is there additional functionality that you would like to see in the ElasticSearch plugin? Were there actions or features that you used in your previous SOAR solution’s Elastic plugin?

were a heavyyyy elasticsearch shop, so pulling different index’s, being able to aggregate it based on different fields

will let you know what else once i can get the plugin to connect

So this is a true bug ? no one else using insight connect has connected to elasticsearch ?

@Brian_rapid7 What version of ElasticSearch are you testing against? Also, are there any specific modules installed (e.g. around authentication) that may affect operation?

We have tested internally with 7.13.2 and it’s succeeding.

Elasticsearch 7.8 , and are you using x-pack to enable HTTPS?

@Brian_rapid7 We don’t, we’re spinning up a lab with that configuration and will test the plugin against and update as necessary. I’ll follow back up with additional questions or findings and when we release a new version (we have a PR up with some improvements already).

Hey @Brian_rapid7, we made a large update to the ElasticSearch plugin which includes better error handling, SSL/TLS verification, testing against 7.8 with X-Pack module for HTTPS, and updated documentation among other things. Let me know if this resolves your issue and if you have any feedback we’re all ears.