Can't connect to ElasticSearch after X-pack install

(bus) #1

Hello. I just follow steps to configure x-pack with Logstash ([Installing X-pack In Logsatsh])(

But after this, my logstash pipeline doesn't work anymore ..

Here it is my logstash.yml : /var/lib/logstash
path.logs: /var/log/logstash
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: mypass

Here it is my output pipeline :

output {
elasticsearch {
hosts => ["localhost:9200"]
user => logstash_system
password => mypass
stdout { codec => rubydebug }

and here the mistakes that I have :

[INFO ] 2018-02-08 15:01:10.290 [Ruby-0-Thread-10: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:228] licensereader - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://localhost:9200/, :path=>"/"}
[WARN ] 2018-02-08 15:01:10.297 [Ruby-0-Thread-10: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/logstash-output-elasticsearch-9.0.2-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:228] licensereader - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}
[ERROR] 2018-02-08 15:01:11.436 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Expected one of #, {, } at line 29, column 23 (byte 680) after output {\n elasticsearch { \n hosts => ["localhost:9200"]\n user => logstash_system\n password => Azerty5", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:42:in compile_imperative'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:50:incompile_graph'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:12:in block in compile_sources'", "org/jruby/'", "/usr/share/logstash/logstash-core/lib/logstash/compiler.rb:11:in compile_sources'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:51:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:169:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:40:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:315:in block in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:inwith_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:312:in block in converge_state'", "org/jruby/'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:299:in converge_state'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:166:inblock in converge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:141:in with_pipelines'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:164:inconverge_state_and_update'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:105:in block in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/interval.rb:18:ininterval'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:94:in execute'", "/usr/share/logstash/logstash-core/lib/logstash/runner.rb:348:inblock in execute'", "/usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

What cause this issue ?

thx !

(Jared Carey) #2

401 unauthorized. Did you setup the user / password for writing the monitoring data? This is done in the logstash.yml file

It is also complaining about an invalid config, at line 29 column 23. I couldn’t spot the issue from the truncated config provided, you need to fully check that the config is formed correctly.

Also I see you configured the elasticsearch output in your pipeline to use logstash_system. This user is meant for writing monitoring data, and does not have the necessary permissions to create other data. These docs describe setting up an appropriate logstash_writer user:

(bus) #3

Ok, I just created the user "logstash_internal" with the role "logstash_writer" exactly as indicated in your link (by changing the password of course :))

I modified logstash.yml which now becomes : /var/lib/logstash
path.logs: /var/log/logstash
xpack.monitoring.elasticsearch.username: logstash_internal
xpack.monitoring.elasticsearch.password: newpass

And I also changed my pipeline which now becomes:

input {
udp {
port => 514
type => syslog


filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]

date {
  match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]



output {
elasticsearch {
hosts => ["localhost:9200"]
user => "logstash_internal"
password => "newpass"
stdout { codec => rubydebug }

I always have the same mistake, couldn't contact, error 401. BUT the [ERROR] about invalid config had disappear

(Jared Carey) #4

I assume you the logstash.yml is setup correctly as well for publishing the
monitoring data?

(bus) #5

I've no configure logstash.yml for monitoring data (your link).

Is it important to do this to solve my issue ?

(bus) #6

So I just configure, juste 1 line needs to be add.
So now, logstash.yml :

Always same issue.

PS : 'the q in the first line is not in the config file, just mistake at screen moment'

(Jared Carey) #7

So what is the current error with those two items now fixed?

(bus) #8

So, the current error is :

I'll let you take a look at my pipeline, my logstash.yml and the user created :

logstash.yml :

The pipeline :

The logstash_internal user :

(bus) #9

Anyone can help me ? :frowning:

(system) #10

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.