Logstash 7.0.1 Netflow Module Setup Dashboards and Indices Template fails to setup

Elastic Stack Logstash
1

Hi, we are having an issue with the Logstash Netflow Module trying to run the --setup command to install the Dashboards und Indices Templates in an X-Pack secured environment, which is running in a DARK network environment, so no possibility to reload anything directly from the internet.

This is the module config within logstash.yml

modules:

  • name: netflow
    var.input.udp.port: 9996
    var.elasticsearch.hosts: "https://ELSATICIP:9200"
    #var.elasticsearch.username: "logstash_internal"
    #var.elasticsearch.password: "xxx"
    var.elasticsearch.username: "elastic"
    var.elasticsearch.password: "xxx"
    var.elasticsearch.ssl.enabled: true
    var.elasticsearch.ssl.certificate_authority: "/etc/pki/elastic-stack-ca.pem"
    var.kibana.host: "KIBANAIP:5601"
    var.kibana.scheme: "https"
    var.kibana.username: "kibana"
    var.kibana.password: "xxx"
    var.kibana.ssl.enabled: true
    var.kibana.ssl.certificate_authority: "/etc/pki/kibana-cert.pem"

And here the two ERROR messages.

[2019-06-03T13:01:48,806][ERROR][logstash.modules.kibanasettings] Attempted POST failed {:url_path=>"api/kibana/settings", :response=>{"statusCode"=>403, "error"=>"Forbidden", "message"=>"Unable to update config, missing action:saved_objects/config/update"}}
[2019-06-03T13:01:48,874][ERROR][logstash.modules.kibanadashboards] Attempted POST failed {:url_path=>"api/kibana/dashboards/import", :response=>{"statusCode"=>400, "error"=>"Bad Request", "message"=>"Unable to bulk_create dashboard,index-pattern,search,visualization, missing action:saved_objects/dashboard/bulk_create,action:saved_objects/index-pattern/bulk_create,action:saved_objects/search/bulk_create,action:saved_objects/visualization/bulk_create"}}

We tried to run the setup command directly with

./logstash --setup --module netflow --path.settings /path/to/config/ --log.level debug

and also tried to reconfigure the service itself setting the appropriate flags.

We also read through this post https://discuss.elastic.co/t/run-setup-netflow-module-when-ls-is-a-service-was-install-netflow-module-error/109166/7

It seems that Logstash is trying to download something from an external source (internet) which is unavailable in this environment. Or is a role missing for the Kibana user missing ? elastic is already the superuser. Any advice on this ?

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

3

Hi @cknoell - both errors looks like permission issues, where the user used to import dashboards into Kibana does not have the required Kibana privileges (esp. kibana_user). Can you double check that?

The second error has a 400 Bad Request return code, but I suspect that's a bug and it should be 403 Forbidden. This has been previously encountered by people importing dashboards from Beats at Failed to import dashboard 7.2.0 and I've opened a bug report at https://github.com/elastic/kibana/issues/40714.