Can`t start up logstash at installed xpack

use offical document config logstash_internal grant logstash_writer role,modifyed logstash.yml write logstash_system username and password,but logstash still can`t start up,log file like this:

[2018-10-29T04:44:57,702][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}

my logstash output config

output {
     elasticsearch {
        hosts => ["localhost:9200"]
        user => logstash_internal
        password => mypassword
        index => "logstash-%{tags}-%{+YYYY.MM.dd}"
        document_type => "%{tags}"
        action => "index"
  stdout { codec => rubydebug }

command line authentication this accout

root@baf6624e70ae:/opt/logstash/config# curl -u logstash_internal:mypassword 'http://localhost:9200/_xpack/security/_authenticate?pretty'
  "username" : "logstash_internal",
  "roles" : [
  "full_name" : "logstash_internal",
  "email" : "",
  "metadata" : { },
  "enabled" : true

my logstash config file

xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: mypassword
xpack.monitoring.elasticsearch.url: ["http://localhost:9200"]

what should i do,for this problem.

logstash_system and logstash_internal are different users.

You have shown that you can authenticate to Elasticsearch with logstash_internal and mypassword
but can you please verify that mypassword is the correct password for logstash_system too?


curl -u logstash_system:mypassword 'http://localhost:9200/_xpack/security/_authenticate?pretty'

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.