Help with Logstash security features

Elastic Stack Logstash
1

I just enabled on my elasticsearch 7.1 the security to login with user and passwords, but logstash stop working, im getting this error
[2019-05-30T12:58:41,053][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>403, :url=>"http://10.11.7.20:9200/_bulk"}
[2019-05-30T12:58:41,055][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>403, :url=>"http://10.11.7.20:9200/_bulk"}
[2019-05-30T12:58:41,058][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>403, :url=>"http://10.11.7.20:9200/_bulk"}
[2019-05-30T12:58:41,055][ERROR][logstash.outputs.elasticsearch] Encountered a retryable error. Will Retry with exponential backoff {:code=>403, :url=>"http://10.11.7.20:9200/_bulk"}

my /etc/logstash/conf.d/syslog-input.conf file is this
#Input by ports
input {
syslog {
port => 5140
type => "network"
}
syslog {
port => 5141
type => "fail2ban"
}
syslog {
port => 5142
type => "quagga"
}
}
#Output to logstash_systemsearch
output {
elasticsearch
{
hosts => ["10.11.7.20:9200"]
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
}
}
#Filters
filter
{
if [type] == "enswitch"
{
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
grok
{
patterns_dir => [ "/etc/logstash/patterns" ]
match => [ "message", "%{ENSWITCH1}" ]
overwrite => [ "message" ]
}
}
}
what can i do to make logstash to work again?

2

Please format your code/logs/config using the </> button, or markdown style back ticks. It helps to make things easy to read which helps us help you :slight_smile:

HTTP 403 means the details you are using are not valid, can you try connecting to Elasticsearch using curl and those details?

4 
Yes, as you can see in the next screenshot if i use curl with this credentials i got a reply.

reply
reply.png817×77 23.8 KB

the credentials are valid

5

Please don't post pictures of text, they are difficult to read and some people may not be even able to see them.

6

curl -u logstash_system:Kz8twlWy9i3NWBZOYR1T http://10.11.7.20:9200/_cluster/health
{"cluster_name":"ttco-elk","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":19,"active_shards":19,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":1,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":95.0}Preformatted text

7

That doesn't match what is in your config though?

8

This is my /etc/logstash/logstash.yml config file

path.data: /var/lib/logstash
path.logs: /var/log/logstash
9

and the conf file of logstash is like the first post
#Output to logstash_systemsearch
output {
elasticsearch
{
hosts => ["10.11.7.20:9200"]
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
}
}

10

Right, but that does not match the details you use in your curl. The password is entirely different.

11

i change the password in the first post only as an example i am using the right password, of course my password is not "password"

12

Given that you are getting a 403 response code, which suggests an authentication or authorization error, being consistent in the obfuscation of your authentication data would help a lot. For sure you should obfuscate/redact it (in both this thread and the other one) but please try to be consistent, so that we know that you know when data is consistent.

13

Ok i just edited the thread to be consistent, i reviewed all the config and i cant find the error on my config.

14

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.