Logstash - Getting failed install template

Kaufusihm · December 3, 2015, 9:44pm

I am not able to get Elasticsearch with shield working with Logstash.

Here is my output-config for logstash:

output {
elasticsearch
{
Protocol => "http"
user => "ls_user"
password => "hulkicu4"
hosts => "IP"
}
stdout { codec => rubydebug }
}

magnusbaeck · December 4, 2015, 6:57am

Please show the full error message from the Logstash log.

Kaufusihm · December 4, 2015, 9:39pm

output {
elasticsearch
{
hosts => "IP"
user => "name"
password => "password"
}
stdout { codec => rubydebug }
}

{:timestamp=>"2015-12-03T15:28:53.124000-0700", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}
{:timestamp=>"2015-12-03T15:29:05.470000-0700", :message=>"Failed to install template: [401] {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}", :level=>:error}
{:timestamp=>"2015-12-03T16:59:12.885000-0700", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}
{:timestamp=>"2015-12-04T13:44:57.745000-0700", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}

magnusbaeck · December 5, 2015, 3:50pm

So the error message indicates that Logstash isn't including authentication credentials with the HTTP request, which is surprising since you're supplying them. I'd use Wireshark or similar to find out whether Logstash is actually sending the credentials and, if so, if they're correct.

Kaufusihm · December 7, 2015, 4:54pm

Do I need to supply a port in my logstash elasticsearch output config or the cluster name?

magnusbaeck · December 7, 2015, 6:28pm

Do I need to supply a port in my logstash elasticsearch output config

Only if it's different from 9200.

or the cluster name?

With the HTTP-only version of the plugin you're using there is to cluster name setting.

Kaufusihm · December 8, 2015, 6:27pm

So I have tried looking into this error...

I've done a telnet with port 9200 and it's fine
I've looked at firewalls and no issue there

Based on my configuration on logstash is it correct or am I missing anything?

I'm having issues understanding HTTP and transport protocol for the configuration.

DO I need that declared in my config?

Also, if I use transport protocol elastic says I need to install the transport plugin.

Thanks for your help...

Kaufusihm · December 8, 2015, 9:49pm

I'm trying to avoid using wireshark due to not having a gui on my ubuntu logstash server and I don't have sudo without password access to run a remote ssh capture session with wireshark. Do you have any orther suggestions of help. I have redone all the elastic steps to setup shield with logstash and elasticsearch and am still getting:

{:timestamp=>"2015-12-07T15:56:50.099000-0700", :message=>"Failed to install template: [401] {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}", :level=>:error}
{:timestamp=>"2015-12-07T16:45:30.785000-0700", :message=>"SIGTERM received. Shutting down the pipeline.", :level=>:warn}