Authentication using apikey failed

nfarmer · May 14, 2021, 9:00pm

So I recently had to reset my ELK stack, because I was having crazy issues I couldn't fix. Without realizing it, and after looking at the logs, I saw that also killed all of my api keys.

[2021-05-14T20:39:26,217][WARN ][o.e.x.s.a.AuthenticationService] [server.local] Authentication using apikey failed - unable to find apikey with id asdfghjkl

My question is, is there anyway to restore my api keys with the exact same id, name, and apikey? Or is there anyway of figuring out what machines are trying to authenticate with a specific apikey?

Marius_Dragomir · May 17, 2021, 2:27pm

You won't be able to have the same ID/name/apikey sadly. So the best solution will be to just go through the setup of all API keys again from scratch, to make sure you don't miss anything. It will save you a lot of hunting when you have one that's missing or something else.

nfarmer · May 17, 2021, 2:31pm

Okay, thanks! Is there anyway to discover what hosts are trying to connect using the specific APIs?

Marius_Dragomir · May 17, 2021, 2:32pm

You should be able to find them in the audit logs: Audit logs | Kibana Guide [7.12] | Elastic

nfarmer · May 17, 2021, 5:29pm

I ensured logging was enabled on both elasticsearch and kibana (it was). and I'm seeing [2021-05-17T16:52:32,685][WARN ][o.e.x.s.a.AuthenticationService] [graylog.scspa.local] Authentication using apikey failed - unable to find apikey with id DEyW3HUBgMTKE8dJsmBi (this is one of many)
but no indication what machine attempted the connection

nfarmer · May 19, 2021, 1:08pm

@Marius_Dragomir Any ideas as to how I can get the actual IPs of who/what is attempting a connection?

Marius_Dragomir · June 14, 2021, 1:27pm

other than using a proxy in front of your ES instance and looking in those logs, there isn't any way.

system · July 12, 2021, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.