Elastic API endpoints?

[adamphetamine]

Version

2.4.110

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

6

RAM

16

Storage for /

300GB

Storage for /nsm

?

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi,
in SO v2.3 I was able to extract data via API calls from Fleet using endpoints like-
https://domain/fleet/api/latest/fleet/host_summary

But I'm having trouble discovering the API endpoints for Elastic/ Kibana etc. in SO v2.4
It looks like these may be available on port 9200 and I have allowed this port on the external and internal firewalls for my admin IP, and set up an API key, but so far cannot figure it out, any help would be much appreciated...

ie. to get a list of agents I am (unsuccessfully) trying-
https://domain:9200/kibana/api/fleet/agents

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Is this what you are looking for? https://www.elastic.co/guide/en/fleet/current/fleet-api-docs.html#:~:text=You%20can%20find%20details%20for,some%20commonly%20used%20Fleet%20APIs.

[adamphetamine]

Thanks- I had already been through those docs without success, but I'll have another look.
The issue is really finding the URL base specific to SO, but if you feel that the answer I will go deeper...

thanks for the info!

[adamphetamine]

ok I have not been successful, but perhaps I can make the question easier.

Can anyone confirm ANY working API endpoint for Security Onion v2.4?

I've tried-
https://domain:9200/kibana/api/fleet/agents
https://domain:5601/kibana/api/fleet/agents
https://domain:9200/_cat/indices?v
https://domain/_cat/indices?v
https://domain/#/_cat/indices?v

and a bunch of others. If I can get one confirmed working URL I can probably work out the rest

[cm-ops]

Are you also using the basic auth with your API call? user:PW for Elasticsearch?

[adamphetamine]

ok feeling a bit dumb as the correct method was mentioned here
#8884

and yes it's one of my questions... thanks Josh. And thanks @cm-ops for the suggestion to check basic auth- good point.

Making progress because I can now get a response from the Server like-

{"error":"no handler found for uri [/api/elastalert_status] and method [POST]"}

So we are definitely using port 9200, figuring out the endpoint, not so much...

[adamphetamine]

ok the answer is as follows-

It's inferred from the Elastic docs but not specified that your API token user must have permissions and these are separate from the user creating the token.

So test your credentialed access with-

curl -v -k -u user:pass --request GET \
--url 'https://FQDN:9200/_cat/indices' \
--header 'kbn-xsrf: true' \
--header 'Content-Type: application/json'

If this works you can add some read only permissions to your API token with this-

curl -v -k -u user:pass --request POST \
--url 'https://FQDN:9200/_security/api_key' \
—H 'Content-Type: application/json’ \
-d '{
  "name": "API_Token_Name",
  "role_descriptors": {
    "read_only": {
      "cluster": ["monitor"],
      "indices": [
        {
          "names": ["*"],
          "privileges": ["read", "view_index_metadata"]
        }
      ]
    }
  }
}'

Then verify your access with this-

curl -v -k --url 'https://FQDN:9200/_cat/indices' --request GET \
-H 'Authorization: ApiKey Your_API_Token'

I'm not convinced that was worth weeks of my life, but glad to contribute in a small way.