Filebeat is not receiving logs from logstash

DharaniKumar · July 4, 2017, 9:00am

[2017-07-04T14:24:02,247][ERROR][logstash.outputs.elasticsearch] Got a bad response code from server, but this code is not considered retryable. Request will be dropped {:code=>401, :response_body=>"{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_bulk]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_bulk]","header":{"WWW-Authenticate":"Basic realm=\"security\" charset=\"UTF-8\""}},"status":401}"}
[2017-07-04T14:24:04,504][INFO ][logstash.outputs.elasticsearch] Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://xx.xx.x.xx:9200/, :path=>"/"}
[2017-07-04T14:24:04,509][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x5fe49749 URL:http://xx.xx.x.xx:9200/>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://xx.xx.x.xx:9200/'"}

Vishal_Sharma1 · July 4, 2017, 9:05am

Read above and sort it out

DharaniKumar · July 4, 2017, 9:09am

where to sort this out... in kibana console???

before installing x-pack in my ELK stack im not getting any issues like this... Im getting this error log after installing x-pack...

magnusbaeck · July 4, 2017, 9:23am

Have you configured Logstash to authenticate to ES?

DharaniKumar · July 4, 2017, 9:25am

Yes i did.

xpack.monitoring.elasticsearch.url: ["http://xx.xx.xx.xx:9200"]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "password"
xpack.monitoring.enabled: true

DharaniKumar · July 4, 2017, 9:27am

when ever im installing x-pack im facing this issue... and filebeat also not working properly after x-pack installation...

Vishal_Sharma1 · July 4, 2017, 9:28am

The configuration is not correct, as its not able to authenticate.

DharaniKumar · July 4, 2017, 9:42am

Now i uninstalled x-pack and im not getting any issues with filebeat and logstash

Vishal_Sharma1 · July 4, 2017, 9:58am

See you are doing something wrong while configuring X-PACK did you follow the official tutorials ?
If you can than please share the config files with us so that we can help you better.

magnusbaeck · July 4, 2017, 11:27am

Yes i did.

xpack.monitoring.elasticsearch.url: ["http://xx.xx.xx.xx:9200"]
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "password"
xpack.monitoring.enabled: true

That covers the monitoring but it's the elasticsearch output plugin that's complaining. Make sure you've configured authentication there as well.

DharaniKumar · July 4, 2017, 11:29am

This is what i've in my elasticsearch output plugin config file.

output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["XX.XX.XX.XX:9200"]
sniffing => false
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Vishal_Sharma1 · July 4, 2017, 11:32am

ah no i am sorry for the confusion .. I need to see what you have done for authentication in elasticsearch as Magnus Bäck asked above ..

magnusbaeck · July 4, 2017, 11:33am

This is what i've in my elasticsearch output plugin config file.

Right, and no username and password options are set. See the elasticsearch output documentation for more on how to configure authentication.

system · August 1, 2017, 11:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.