Filebeat authentication fail

Georgios_Nikoloudis · April 27, 2020, 8:13pm

hi
after installing the filebeat to a remote server it looks that cannot authenticate to ES.
ES Log
^[[A^[[A[2020-04-27T22:00:41,318][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm default_native failed - Password authentication failed for elastic ^[[B[2020-04-27T22:10:33,204][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm default_native failed - Password authentication failed for elastic [2020-04-27T22:11:09,642][WARN ][o.e.x.s.a.AuthenticationService] [node-1] Authentication to realm default_native failed - Password authentication failed for elastic
when I run filebeat -e setup

[root@fngnetde filebeat]# filebeat -e setup
2020-04-27T23:11:09.465+0300	INFO	instance/beat.go:622	Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-04-27T23:11:09.465+0300	INFO	instance/beat.go:630	Beat ID: fc07e8b0-5add-471f-b891-a1cbeb6569bd
2020-04-27T23:11:09.473+0300	INFO	[beat]	instance/beat.go:958	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "fc07e8b0-5add-471f-b891-a1cbeb6569bd"}}}
2020-04-27T23:11:09.474+0300	INFO	[beat]	instance/beat.go:967	Build info	{"system_info": {"build": {"commit": "d57bcf8684602e15000d65b75afcd110e2b12b59", "libbeat": "7.6.2", "time": "2020-03-26T05:23:38.000Z", "version": "7.6.2"}}}
2020-04-27T23:11:09.474+0300	INFO	[beat]	instance/beat.go:970	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.13.8"}}}
2020-04-27T23:11:09.474+0300	INFO	[beat]	instance/beat.go:974	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-20T08:55:13+03:00","containerized":false,"name":"fngnetde","ip":["127.0.0.1/8","::1/128","95.216.7.94/32","95.216.7.94/32","95.216.7.72/26","95.216.7.71/26","95.216.7.70/26","2a01:4f9:2a:7a1::2/64","fe80::468a:5bff:fed4:4b38/64","172.17.0.1/16"],"kernel_version":"3.10.0-862.2.3.el7.x86_64","mac":["44:8a:5b:d4:4b:38","02:42:fe:c1:b7:ff"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":5,"patch":1804,"codename":"Core"},"timezone":"EEST","timezone_offset_sec":10800,"id":"23cddd2b7d0c43519e7f6a69d45303b5"}}}
2020-04-27T23:11:09.474+0300	INFO	[beat]	instance/beat.go:1003	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 10649, "ppid": 17604, "seccomp": {"mode":"disabled"}, "start_time": "2020-04-27T23:11:08.720+0300"}}}
2020-04-27T23:11:09.474+0300	INFO	instance/beat.go:298	Setup Beat: filebeat; Version: 7.6.2
2020-04-27T23:11:09.474+0300	INFO	[index-management]	idxmgmt/std.go:182	Set output.elasticsearch.index to 'filebeat-7.6.2' as ILM is enabled.
2020-04-27T23:11:09.475+0300	INFO	elasticsearch/client.go:174	Elasticsearch url: http://95.216.204.11:9200
2020-04-27T23:11:09.475+0300	INFO	[publisher]	pipeline/module.go:110	Beat name: fngnetde
2020-04-27T23:11:09.475+0300	INFO	elasticsearch/client.go:174	Elasticsearch url: http://95.216.204.11:9200
2020-04-27T23:11:09.642+0300	ERROR	elasticsearch/elasticsearch.go:261	Error connecting to Elasticsearch at http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [fngnet] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"unable to authenticate user [fngnet] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
2020-04-27T23:11:09.642+0300	ERROR	instance/beat.go:933	Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [fngnet] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"unable to authenticate user [fngnet] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}]
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [fngnet] for REST request [/]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exce

however the curl with authentication working.

any suggestion?

Thanks
Georgios

KoettingSimon · April 27, 2020, 8:23pm

Hi Georgios,
which user you are trying to use?
The ES logs are errors for the user Elastic, but filebeat trying to authenticate with the user fngnet.
Which user you tested successfully with curl?

Regards,
Simon

Georgios_Nikoloudis · April 27, 2020, 8:25pm

i changed to user elastic in the filebeat configuration. but the problem remains
thanks

KoettingSimon · April 27, 2020, 8:28pm

Ok and the User with the configured in the filebeat config works when copy-pasting the credentials to curl!?
Please post the ES Logs with the same/near Timestamp as the Errors in your Filebeat logs.

Georgios_Nikoloudis · April 27, 2020, 8:32pm

do not worry about time I fixed it - is the same for both server -

this is the CURL output:

[root@fngnetde filebeat]# curl -v -uelastic http://95.216.204.11:9200
Enter host password for user 'elastic':
* About to connect() to 95.216.204.11 port 9200 (#0)
*   Trying 95.216.204.11...
* Connected to 95.216.204.11 (95.216.204.11) port 9200 (#0)
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzpnbjIxNTIxMCQkJA==
> User-Agent: curl/7.29.0
> Host: 95.216.204.11:9200
> Accept: */*
> 
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 532
< 
{
  "name" : "node-1",
  "cluster_name" : "my-application",
  "cluster_uuid" : "kI-Y0O64S2SpyDvlqhIJKg",
  "version" : {
    "number" : "7.6.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "ef48eb35cf30adf4db14086e8aabd07ef6fb113f",
    "build_date" : "2020-03-26T06:34:37.794943Z",
    "build_snapshot" : false,
    "lucene_version" : "8.4.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host 95.216.204.11 left intact

this is the output of the filebeat -e setup

2020-04-27T23:30:37.569+0300	INFO	instance/beat.go:622	Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-04-27T23:30:37.569+0300	INFO	instance/beat.go:630	Beat ID: fc07e8b0-5add-471f-b891-a1cbeb6569bd
2020-04-27T23:30:37.582+0300	INFO	[beat]	instance/beat.go:958	Beat info	{"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "fc07e8b0-5add-471f-b891-a1cbeb6569bd"}}}
2020-04-27T23:30:37.582+0300	INFO	[beat]	instance/beat.go:967	Build info	{"system_info": {"build": {"commit": "d57bcf8684602e15000d65b75afcd110e2b12b59", "libbeat": "7.6.2", "time": "2020-03-26T05:23:38.000Z", "version": "7.6.2"}}}
2020-04-27T23:30:37.582+0300	INFO	[beat]	instance/beat.go:970	Go runtime info	{"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":8,"version":"go1.13.8"}}}
2020-04-27T23:30:37.583+0300	INFO	[beat]	instance/beat.go:974	Host info	{"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-10-20T08:55:13+03:00","containerized":false,"name":"fngnetde","ip":["127.0.0.1/8","::1/128","95.216.7.94/32","95.216.7.94/32","95.216.7.72/26","95.216.7.71/26","95.216.7.70/26","2a01:4f9:2a:7a1::2/64","fe80::468a:5bff:fed4:4b38/64","172.17.0.1/16"],"kernel_version":"3.10.0-862.2.3.el7.x86_64","mac":["44:8a:5b:d4:4b:38","02:42:fe:c1:b7:ff"],"os":{"family":"redhat","platform":"centos","name":"CentOS Linux","version":"7 (Core)","major":7,"minor":5,"patch":1804,"codename":"Core"},"timezone":"EEST","timezone_offset_sec":10800,"id":"23cddd2b7d0c43519e7f6a69d45303b5"}}}
2020-04-27T23:30:37.584+0300	INFO	[beat]	instance/beat.go:1003	Process info	{"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 25414, "ppid": 17604, "seccomp": {"mode":"disabled"}, "start_time": "2020-04-27T23:30:36.820+0300"}}}
2020-04-27T23:30:37.584+0300	INFO	instance/beat.go:298	Setup Beat: filebeat; Version: 7.6.2
2020-04-27T23:30:37.584+0300	INFO	[index-management]	idxmgmt/std.go:182	Set output.elasticsearch.index to 'filebeat-7.6.2' as ILM is enabled.
2020-04-27T23:30:37.584+0300	INFO	elasticsearch/client.go:174	Elasticsearch url: http://95.216.204.11:9200
2020-04-27T23:30:37.584+0300	INFO	[publisher]	pipeline/module.go:110	Beat name: fngnetde
2020-04-27T23:30:37.585+0300	INFO	elasticsearch/client.go:174	Elasticsearch url: http://95.216.204.11:9200
2020-04-27T23:30:37.730+0300	ERROR	elasticsearch/elasticsearch.go:261	Error connecting to Elasticsearch at http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}
2020-04-27T23:30:37.730+0300	ERROR	instance/beat.go:933	Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}]
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch http://95.216.204.11:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"failed to authenticate user [elastic]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}]

this is the log from the ES Server:

[2020-04-27T22:30:37,730][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]

KoettingSimon · April 27, 2020, 8:41pm

Are there any other interesting Logs arround the Error in the ES-Logs?

Georgios_Nikoloudis · April 27, 2020, 8:45pm

yes

, i tested this localy to ES Server and works

curl -u elastic 'http://localhost:9200/_xpack/security/_authenticate?pretty'
Enter host password for user 'elastic':
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}

then I tested remotely and also worked - so it works manual but not in the configuation.???

[root@fngnetde filebeat]# curl -u elastic 'http://95.216.204.11:9200/_xpack/security/_authenticate?pretty'
Enter host password for user 'elastic':
{
  "username" : "elastic",
  "roles" : [
    "superuser"
  ],
  "full_name" : null,
  "email" : null,
  "metadata" : {
    "_reserved" : true
  },
  "enabled" : true,
  "authentication_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  },
  "lookup_realm" : {
    "name" : "reserved",
    "type" : "reserved"
  }
}

KoettingSimon · April 27, 2020, 9:04pm

That's strange. Could you please post a larger ES-Log? May some of the surrounding logs of the error helps us.

Georgios_Nikoloudis · April 27, 2020, 9:08pm

There are some exceptions:

root@ubuntu-4gb-hel1-1:~# tail -200 /var/log/elasticsearch/my-application.log
	at sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:955) ~[?:?]
	at sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:944) ~[?:?]
	at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1252) ~[?:?]
	at sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1188) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851) ~[?:?]
	at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812) ~[?:?]
	at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396) ~[?:?]
	at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247) ~[?:?]
	at java.security.AccessController.doPrivileged(AccessController.java:691) ~[?:?]
	at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192) ~[?:?]
	at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1502) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1516) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1400) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1227) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1274) ~[netty-handler-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:503) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-codec-4.1.43.Final.jar:4.1.43.Final]
	... 16 more
[2020-04-27T21:20:58,738][INFO ][o.e.h.AbstractHttpServerTransport] [node-1] publish_address {95.216.204.11:9200}, bound_addresses {[::]:9200}
[2020-04-27T21:20:58,739][INFO ][o.e.n.Node               ] [node-1] started
[2020-04-27T21:20:59,040][INFO ][o.e.l.LicenseService     ] [node-1] license [c8eeb988-ccaa-4078-8880-97a7268cb251] mode [basic] - valid
[2020-04-27T21:20:59,041][INFO ][o.e.x.s.s.SecurityStatusChangeListener] [node-1] Active license is now [BASIC]; Security is enabled
[2020-04-27T21:20:59,051][INFO ][o.e.g.GatewayService     ] [node-1] recovered [4] indices into cluster_state
[2020-04-27T21:20:59,983][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[.kibana_task_manager_1][0], [.security-7][0], [.kibana_1][0]]]).
[2020-04-27T21:21:14,858][INFO ][o.e.c.m.MetaDataIndexTemplateService] [node-1] adding template [.management-beats] for index patterns [.management-beats]
[2020-04-27T21:22:47,232][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:24:00,166][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana]
[2020-04-27T21:24:41,235][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:32:49,907][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:33:41,536][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:34:32,767][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:35:16,054][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:36:19,609][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana]
[2020-04-27T21:36:49,404][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana]
[2020-04-27T21:37:22,477][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [kibana] was terminated by realm [reserved] - failed to authenticate user [kibana]
[2020-04-27T21:38:16,329][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:38:52,265][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:44:33,888][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:44:48,995][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:46:33,383][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:47:02,412][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:47:24,509][INFO ][o.e.x.s.a.AuthenticationService] [node-1] Authentication of [elastic] was terminated by realm [reserved] - failed to authenticate user [elastic]
[2020-04-27T21:49:17,620][WARN ][r.suppressed             ] [node-1] path: /_security/api_key, params: {owner=true}
java.lang.IllegalStateException: api keys are not enabled
	at org.elasticsearch.xpack.security.authc.ApiKeyService.ensureEnabled(ApiKeyService.java:584) ~[?:?]
	at org.elasticsearch.xpack.security.authc.ApiKeyService.getApiKeys(ApiKeyService.java:867) ~[?:?]
	at org.elasticsearch.xpack.security.action.TransportGetApiKeyAction.doExecute(TransportGetApiKeyAction.java:56) ~[?:?]
	at org.elasticsearch.xpack.security.action.TransportGetApiKeyAction.doExecute(TransportGetApiKeyAction.java:23) ~[?:?]
	at org.elasticsearch.action.support.TransportAction$RequestFilterChain.proceed(TransportAction.java:153) [elasticsearch-7.6.2.jar:7.6.2]
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$apply$0(SecurityActionFilter.java:86) [x-pack-security-7.6.2.jar:7.6.2]
	at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:63) [elasticsearch-7.6.2.jar:7.6.2]
	at org.elasticsearch.xpack.security.action.filter.SecurityActionFilter.lambda$authorizeRequest```

Georgios_Nikoloudis · April 28, 2020, 7:02am

Any Idea?

Some other queries, what is a filebeat alternative? Shall I use srsyslog forwarding? what are the differences?

thanks

system · May 26, 2020, 7:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.