Issue with Installing X-Pack on ELK - Security Exception Error

I'm trying to install the X-Pack on ELK, but I'm having difficulty. Here is where I'm at:

  • The elasticsearch and kibana installs have completed without issue

  • I've installed X-Pack on logstash

  • Issue #1: the instructions said to under #5 here: to edit the logstash.yml config file and change the username and password. Those two settings didn't existing in my logstash.yml file so I added them manually.

  • Issue #2
    When I try to query data that has been loaded via logstash I get:
    "error": {
    "root_cause": [
    "type": "security_exception",
    "reason": "action [indices:data/read/search] is unauthorized for user [kibana]"
    "type": "security_exception",
    "reason": "action [indices:data/read/search] is unauthorized for user [kibana]"
    "status": 403

Question #1: How can I fix this?

Question #2: Was it correct to edit the logstash.yml manually?

It looks like you have logged into Kibana as the kibana user.
That's a common mistake that new users make.

The kibana user is the user that the Kibana application uses for its own purposes when it connects to Elasticsearch. For example, it is how Kibana can tell whether your ES server is available, and whether it has security turned on. You should not log in to Kibana as that user, because it doesn't have permission to do very much (which is intentional - it has just enough access to run Kibana but no more)

You should initially login to Kibana using the elastic user. This is a superuser that can do everything.
You can use that user for everything you want to do, and always login to Kibana as elastic, but we don't recommend it. Because that user can do everything, it can make a horrible mess of your cluster if you're not careful, and one of the benefits of X-Pack security is that it can protect you from mistakes like that.

Rather, we recommend that you use the elastic user to login the first time, and then use the Kibana admin screens to create new, lower privileged users and roles that have just the permissions that you need, but nothing more. You can then safely use those users to do your work in Kibana, and you can always login as elastic if you need to make major changes.

Yes, it is entirely unrelated to the error above.

if you are using 6.x then type this command:
bin/x-pack/setup-passwords auto -u "http://localhost:9200"
and check what is the ELK password.

if you change in logstash.yml file then you have to edit in same in elasticsearch.yml and kibana.yml also true in three of .yml file and restart your cluster it should work.

Thanks & Regards,

Thanks for the quick response. I have resolved my first issues, however I
am now having issues loading the data into logstash. I am getting this

#cat stocks.csv | ./logstash -f stocks.conf

Sending Logstash's logs to /Users//Downloads/logstash-6.1.1/logs
which is now configured via

[2018-01-11T00:12:44,197][INFO ][logstash.modules.scaffold] Initializing
module {:module_name=>"netflow",

[2018-01-11T00:12:44,211][INFO ][logstash.modules.scaffold] Initializing
module {:module_name=>"fb_apache",

[2018-01-11T00:12:45,118][INFO ][logstash.modules.scaffold] Initializing
module {:module_name=>"arcsight",

[2018-01-11T00:12:45,238][FATAL][logstash.runner ] An unexpected
error occurred! {:error=>#<ArgumentError: Setting ""
hasn't been registered>,
get_setting'", "/Users/<USERNAME>/Downloads/logstash-6.1.1/logstash-core/lib/logstash/settings.rb:65:inset_value'",
block in merge'", "org/jruby/'",
merge'", "/Users/<USERNAME>/Downloads/logstash-6.1.1/logstash-core/lib/logstash/settings.rb:133:invalidate_all'",
execute'", "/Users/<USERNAME>/Downloads/logstash-6.1.1/vendor/bundle/jruby/2.3.0/gems/clamp-0.6.5/lib/clamp/command.rb:67:inrun'",
run'", "/Users/<USERNAME>/Downloads/logstash-6.1.1/vendor/bundle/jruby/2.3.0/gems/clamp-0.6.5/lib/clamp/command.rb:132:inrun'",

How can I resolve this error?


Christina Galligan

Remove the true

line from your logstash.yml file.

@Krunal_kalaria is mistaken, it shouldn't be there.
In fact you shouldn't need to add it to any configuration file - security is on by default if x-pack is installed with an appropriate license (trial, gold, or platinum).

once time my kibana is not working then i was try this in .yml file then its working i dont know its wrong thnks @TimV to correct me. :blush::slightly_smiling_face:

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.