Authentication using apikey failed

So I recently had to reset my ELK stack, because I was having crazy issues I couldn't fix. Without realizing it, and after looking at the logs, I saw that also killed all of my api keys.

[2021-05-14T20:39:26,217][WARN ][o.e.x.s.a.AuthenticationService] [server.local] Authentication using apikey failed - unable to find apikey with id asdfghjkl

My question is, is there anyway to restore my api keys with the exact same id, name, and apikey? Or is there anyway of figuring out what machines are trying to authenticate with a specific apikey?

You won't be able to have the same ID/name/apikey sadly. So the best solution will be to just go through the setup of all API keys again from scratch, to make sure you don't miss anything. It will save you a lot of hunting when you have one that's missing or something else.

Okay, thanks! Is there anyway to discover what hosts are trying to connect using the specific APIs?

You should be able to find them in the audit logs: Audit logs | Kibana Guide [7.12] | Elastic

I ensured logging was enabled on both elasticsearch and kibana (it was). and I'm seeing [2021-05-17T16:52:32,685][WARN ][o.e.x.s.a.AuthenticationService] [graylog.scspa.local] Authentication using apikey failed - unable to find apikey with id DEyW3HUBgMTKE8dJsmBi (this is one of many)
but no indication what machine attempted the connection

@Marius_Dragomir Any ideas as to how I can get the actual IPs of who/what is attempting a connection?

other than using a proxy in front of your ES instance and looking in those logs, there isn't any way.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.