Compatible with xpack reporting

jchop01 · October 31, 2018, 7:28pm

I’m wondering if you have any plans/workarounds to support Xpack Reporting w/ ROR.

Let me explain, we have it setup so each users has their own .kibana_{user} index and access to their own data indices in ES. Everything works great.
We would like the ability to export from the discover tab via the Saved Search/Reporting -> Export to CSV feature.

This works great, but when I head to Management -> Reporting to download the report, I can see other users reports generated. In a perfect world - they shouldn’t even be visible. In a sub-perfect world, the user could see them, but not download them. Make sense?

jchop01 · October 31, 2018, 7:38pm

By the way - using 6.4.1

jchop01 · November 6, 2018, 4:27pm

Just checking in. Any ideas?

sscarduzio · November 6, 2018, 5:36pm

Hello Joe, sorry the delayed response on this. I just tested this in our demo environment. You are right, something is missing when X-Pack code uses the saved objects API. ROR should intercept that too. Will have a look on how to ensure all the calls to the saved objects API are covered.

jchop01 · November 6, 2018, 5:53pm

Great - yeah I wonder if you could route the saved reports to a .report-{user} index to mimic the behavior of .kibana-{user} index. Otherwise - as long as other users cannot see other user reports.

Thanks!

askids · November 7, 2018, 1:34pm

Simone is really going to hate what I am about to say.

@jchop01 I am just wondering. AFAIK, Xpack reporting is a paid feature. Per my understanding, if you are paying for xpack license for using reporting, even security also comes with it. For that matter, other features like alerting, graph, ML etc also part of it. So why not use xpack security itself, if you are anyway paying for it?

jchop01 · November 7, 2018, 8:59pm

Don’t worry - we love ROR, and Simone’s ongoing support!

However, I haven’t been able to find ANY documentation regarding Xpack reporting - but from testing with our recent Kibana upgrade to 6.4, I assume a subset of the reporting is free for use. For example, we do not have Xpack license and we aren’t in their trial mode (confirmed with Get License API). I see this CSV reporting feature in Kibana, but not some of the more advanced reporting options like PDF reports or scheduled reports.

Correct me if I’m wrong - but thats why I assumed CSV/Saved Search exports fall under their xpack free features (same boat as monitoring, search profile, etc).

ld57 · November 8, 2018, 11:32am

Hi guys,
Using basic licnese ( free )

I use csv reporting in search tabs.

I use sentinl for pdf report and alerting

askids · November 8, 2018, 11:35pm

Good to know that its part of FOSS version. Then there is nothing to look beyond ROR for security

@ld57 with Siren now almost going into paid category, are you able to use it on a multi-node cluster OR is it just single node?

ld57 · November 9, 2018, 9:55am

HI @askids,

well, i am on es 6.2.1 as cluster, and kibana on a dedicated server.

regarding Sentinl, I have installed it on my kibana, but I had to create some modification to code to make it compatible with RoR.

Sentinl is installed as standalone, not as sentinl cluster approach ( had no need, as kibana/sentinl host is on vm clustering system)

regarding that I did, i posted something on their github

github.com/sentinl/sentinl

Make possible to save watchers to any index

opened 08:24AM - 24 Apr 18 UTC

closed 01:29PM - 14 Sep 18 UTC

sergibondarenko

bug v6.4.X

Related to sirensolutions/sentinl#393 sirensolutions/sentinl#398 Setting `def…ault-type` now breaks things!!! sirensolutions/sentinl#406 https://github.com/sirensolutions/sentinl/issues/411 https://github.com/sirensolutions/sentinl/issues/532 The problem is that now Sentinl uses Kibana savedObjectsAPI and stores all its watchers in an index specified in `kibana.index` property of `kibana.yml` file. By default, it is `.kibana`. We need to fix this by allowing users to put watchers in other indexes. For now, there are 2 possible solutions in case user migrate to the latest Sentinl v6: 1. Recreate all watchers using Sentinl UI 2. Modify existing watchers and move them into `.kibana` index using `curl` A watcher should have the following doc format: ``` { "_index" : ".kibana", "_type" : "doc", "_id" : "sentinl-watcher:efa6cd30-31c3-11e8-afa0-192c02dd236a", "_score" : 1.0, "_source" : { "type" : "sentinl-watcher", "updated_at" : "2018-03-28T09:47:26.920Z", "sentinl-watcher" : { "title" : "watcher_title", "input" : { "search" : { "request" : { "index" : [ ], "body" : { } } } }, "actions" : { "email_admin" : { "throttle_period" : "0h15m0s", "email" : { "to" : "alarm@localhost", "from" : "sentinl@localhost", "subject" : "Alarm", "priority" : "high", "body" : "Found {{payload.hits.total}} Events" } } }, "transform" : { }, "condition" : { "script" : { "script" : "payload.hits.total > 100" } }, "report" : false, "disable" : true, "trigger" : { "schedule" : { "later" : "every 5 minutes" } } } } } ```

if you need, I can share my kibana.yml config, and my RoR config.

unfortunately, I know they changed a lot of things, and i do not hink it still apply with earlier version.

@sscarduzio, it could be a great new feature to integrate that kind of feature to Ror feature pack, but it is a lot of work.

@sscarduzio, alos I apologize about delay regarding transport ssl authentication, but i did not forget it.

jchop01 · December 19, 2018, 5:17pm

Hi @sscarduzio - just checking in - has any progress been made regarding my original issue (xpack reporting)?

sscarduzio · December 20, 2018, 5:22am

Hi @jchop01, this is unfortunately still pending because it depends on a bigger task. Sorry for the wait!!

sscarduzio · December 27, 2018, 5:06am

This is fixed now, will be released soon as part of ReadonlyREST 1.16.32

jchop01 · December 27, 2018, 5:19am

Awesome thank you for a great product!