Elastic version 6.5.1 on RPM
I've been working on our encrypted Logstash to Elasticsearch connection and the only way I can get it to work is by using our elastic user (superuser roles). I've followed the instructions in the documentation on creating a logstash_internal user and I am unable to get that user to connect. The error that I keep getting with the logstash_internal user is:
[WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logstash_internal:xxxxxx@xx.xxx.xx.xxx:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://"
Heres what I have for my users by running GET _xpack/security/user
"logstash_user" : {
"username" : "logstash_user",
"roles" : [
"logstash_reader",
"logstash_admin"
],
"full_name" : "Kibana User for Logstash",
"email" : null,
"metadata" : { },
"enabled" : true
},
"logstash_internal" : {
"username" : "logstash_internal",
"roles" : [
"logstash_writer"
],
"full_name" : "Internal Logstash User",
"email" : null,
"metadata" : { },
"enabled" : true
},
This is what I get when I run GET _xpack/security/role
"logstash_reader" : {
"cluster" : [ ],
"indices" : [
{
"names" : [
"logstash-*"
],
"privileges" : [
"read",
"view_index_metadata"
]
}
],
"applications" : [ ],
"run_as" : [ ],
"metadata" : { },
"transient_metadata" : {
"enabled" : true
}
},
"logstash_writer" : {
"cluster" : [
"manage_index_templates",
"monitor"
],
"indices" : [
{
"names" : [
"logstash-*"
],
"privileges" : [
"write",
"delete",
"create_index"
]
}
],
Heres our Logstash config:
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["https://xx.xxx.xx.xxx:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => "logstash_internal"
password => "xxxxxxxxx"
ssl => true
cacert => "/etc/logstash/ca.crt"
}
}
Seems like everything should be set to use logstash_internal to access our ES cluster but the 401 errors continue. I'd say its a config problem but as mentioned earlier the system has no problems with our elastic user running with the superuser role. Any help would be appreciated and enjoy your day.