Logstash failing after installing x-pack, elastic stack 6

Hi everyone!
I try to add to my Elastic stack 6 x-pack, on my CenOS7 VM.
Everything worked fine before x-pack was installed.
I followed closely this manual: Installing X-Pack | X-Pack for the Elastic Stack [6.2] | Elastic.

I installed x-pack and created a folder using certgen with nodeName.crt and nodeName.key.

Things I added to elasticsearch.yml after installing x-pack:

xpack.ssl.key: /etc/elasticsearch/${node.name}/${node.name}.key
xpack.ssl.certificate: /etc/elasticsearch/${node.name}/${node.name}.crt
xpack.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt
xpack.security.transport.ssl.enabled: true
xpack.license.self_generated.type: "trial"
action.auto_create_index: .security,.monitoring*,.watches,.triggered_watches,.watcher-history*,.ml*,*

The path is fine.

I ran the password setup using the elasticsearch/bin/x-pack/setup-passwords interactive, and set my pass word for each product as its own user name and password. For example:
username: elasticsearch
password: elasticsearch
username: kibana
password: kibana
and the same for logstash.

When I start elasticsearch using bin/elasticsearch - everything work fine.

I installed x-pack in kibana.
I added the following to kibana.yml:

elasticsearch.username: "kibana"
elasticsearch.password: "kibana"

I started kibana via /bin/kibana - everything works fine. I can enter the login info into kibana and I can see that elasticsearch is up and running.

I installed x-pack in logstash.
I added these line to logstash.yml:

xpack.monitoring.elasticsearch.url: "http://localhost:9200"
xpack.monitoring.elasticsearch.username: "logstash"
xpack.monitoring.elasticsearch.password: "logstash"
xpack.management.enabled: true
xpack.management.elasticsearch.url: "http://localhost:9200"

This is what I added to the .conf file:

output {
  elasticsearch {
    hosts => "localhost:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
    user => "elasticsearch"
    password => "elasticsearch"


when I try to run bin/logstash -f myConfigFile.conf I get these errors:

[ERROR] 2017-12-21 15:13:21.199 [[.monitoring-logstash]-pipeline-manager] licensemanager - Unable to retrieve license information from license server {:message=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError"}

[ERROR] 2017-12-21 15:10:45.244 [Ruby-0-Thread-1: /usr/share/logstash/vendor/bundle/jruby/2.3.0/gems/stud-0.0.23/lib/stud/task.rb:22] metrics - Monitoring is not available: License information is currently unavailable. Please make sure you have added your production elasticsearch connection info in the xpack.monitoring.elasticsearch settings.

[ERROR] 2017-12-21 15:13:51.233 [monitoring-license-manager] licensemanager - Unable to retrieve license information from license server {:message=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError"}

When I try to run logstash as a service using systemctl (doing the same with elasticsearch and kibana works fine) and I tail the log I get this error:

[2017-12-21T13:31:17,457][ERROR][logstash.configmanagement.bootstrapcheck] There are config files (1) in the '/etc/logstash/conf.d/*.conf' folder. Elasticsearch is configured as the config store so configs cannot be sourced via the command line with -f or via logstash.yml with path.config

My questions are:

  1. What are these error and how to fix them?
  2. In elasticsearch.yml I have this configuration:

xpack.ssl.certificate_authorities: /etc/elasticsearch/ca/ca.crt

and according to this page the value should be something like: certs/ca/ca.crt. I generated .crt and .key files using certgen, but I used them as the previous configuration:

xpack.ssl.key: /etc/elasticsearch/${node.name}/${node.name}.key
xpack.ssl.certificate: /etc/elasticsearch/${node.name}/${node.name}.crt

What is the differance between the ssl .crt and .key and the authorities one? What I did is to artificially generate "ca" folder and "ca.crt" in it as the example shown in the elasticsearch docs. Did I did the right thing? how to handle this? I want to remind the everything worked ok with elastic, and no errors were presented due to this configuration.

  1. When I tried to run again the x-pack setup passwrods interactive, it alrets me:

    Failed to authenticate user 'elastic' against
    Possible causes include:
     * The password for the 'elastic' user has already been changed on this cluster
     * Your elasticsearch node is running against a different keystore
       This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

It's sound reasonable because I did changed the password, but if I want to change it again or to inspect the usr/pass for each elastic stack product, how can I do it?

That's it. Can anyone help me get logstash working with x-pack and the rest of my elsatic stack?

1 Like


1 Like

can someone pls respond... i have a similar situation.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.