Failed to install template error

(Zama Las) #1

Hi ,

I just started working on setting up the ELK stack using docker. I was able to start all the three components successfully using docker install .

But I can see one error message during startup of logstash . The error message is as follows:

[2017-09-26T14:38:22,566][INFO ][logstash.outputs.elasticsearch] Attempting to install template {:manage_template=>{"template"=>"logstash-", "version"=>50001, "settings"=>{"index.refresh_interval"=>"5s"}, "mappings"=>{"default"=>{"_all"=>{"enabled"=>true, "norms"=>false}, "dynamic_templates"=>[{"message_field"=>{"path_match"=>"message", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false}}}, {"string_fields"=>{"match"=>"", "match_mapping_type"=>"string", "mapping"=>{"type"=>"text", "norms"=>false, "fields"=>{"keyword"=>{"type"=>"keyword", "ignore_above"=>256}}}}}], "properties"=>{"@timestamp"=>{"type"=>"date", "include_in_all"=>false}, "@version"=>{"type"=>"keyword", "include_in_all"=>false}, "geoip"=>{"dynamic"=>true, "properties"=>{"ip"=>{"type"=>"ip"}, "location"=>{"type"=>"geo_point"}, "latitude"=>{"type"=>"half_float"}, "longitude"=>{"type"=>"half_float"}}}}}}}}

[2017-09-26T14:38:22,576][ERROR][logstash.outputs.elasticsearch] Failed to install template. {:message=>"Got response code '403' contacting Elasticsearch at URL 'http://elasticsearch:9200/_template/logstash'", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError",

My logstash.conf is as follows:

input {
tcp {
port => 5044
codec => "json"
output {
elasticsearch {
hosts => ["elasticsearch:9200"]
index => "elk-%{+YYYY.MM.dd}"
document_type => "log"
user => logstash_system
password => changeme

Please suggest how to resolve the issue.

(Magnus Bäck) #2

The error code suggests that you've configured the wrong credentials in your elasticsearch output. Have you tried using them with e.g. curl to access data stored in ES?

(Zama Las) #3

Thanks for replying . I am using the default credentials as in logstash.yml

xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: changeme

curl returns the following

$ curl -u logstash_system http://localhost:9200/_template/logstash
Enter host password for user 'logstash_system':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:admin/template/get] is unauthorized for user [logstash_system]"}],"type":"security_exception","reason":"action [indices:admin/template/get] is unauthorized for user [logstash_system]"},"status":403}

Initially it was showing 401 in logstash log , but after adding the username/password in logstash.conf it is showing 403 error as described in original description .

$ curl -u logstash_system http://localhost:9200/_shield/authenticate
Enter host password for user 'logstash_system':

(Magnus Bäck) #4

Hmm, right. Wrong credentials would've given you 401 and not 403. Seems like the logstash_system user doesn't have sufficient permissions to perform any template-related tasks. That's weird if you're running an out of the box setup.

(Zama Las) #5

I am going with default configuration files. How to add permissions for that user to resolve the issue. Any pointers will be helpful . My logstash.yml looks like this ""
path.config: /usr/share/logstash/pipeline
xpack.monitoring.elasticsearch.url: http://elasticsearch:9200
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: changeme

(Zama Las) #6

We are able to resolve the issue the authorization issue. The user was not having rights to create indices. This we came to know while checking the roles and user information from kibana interface. We used elastic user which was having superuser role to resolve the issue. Next I we are planning to create our user for this. But I am looking for an ideal role which can be used for a working system . Can somebody please guide in selecting a suitable role for this user.

(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.