Logstash not work after enable xpack.security

Elastic Stack Logstash
1

Recently i enabled xpack.security en elasticsearch but logstash stop working and i got this error:

[2019-05-30T17:16:08,636][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://10.11.7.20:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://10.11.7.20:9200/'"}

my logstash conf file /etc/logstash/logstash.yml is
path.data: /var/lib/logstash
path.logs: /var/log/logstash
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "Kz8twlWy9i3NWBZOYR1T"
xpack.monitoring.elasticsearch.hosts: ["https://10.11.7.20:9200", "https://10.11.7.17:9200"]
xpack.monitoring.elasticsearch.url: "http://10.11.7.20:9200"
xpack.management.enabled: true
xpack.management.elasticsearch.url: "http://10.11.7.20:9200"

my /etc/logstash/conf.d/syslog-input.conf file is the next
input {
elasticsearch
{
hosts => ["10.11.7.20:9200"]
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
}
}
output {
elasticsearch
{
hosts => ["10.11.7.20:9200"]
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
}
}
filter
{
elasticsearch
{
hosts => ["10.11.7.20:9200"]
user => "logstash_system"
password => "Kz8twlWy9i3NWBZOYR1T"
}
if [type] == "quagga"
{
grok
{
patterns_dir => ["/etc/logstash/patterns"]
match => [ "message", "%{UPDATE1}" ]
overwrite => ["message"]
}
}
}
And my logstash is not working after enable the authentication login for kibana, what can i do?

if i use a curl like this on the server it works
curl -u logstash_system:Kz8twlWy9i3NWBZOYR1T http://10.11.7.20:9200/_cluster/health
{"cluster_name":"ttco-elk","status":"yellow","timed_out":false,"number_of_nodes":1,"number_of_data_nodes":1,"active_primary_shards":19,"active_shards":19,"relocating_shards":0,"initializing_shards":0,"unassigned_shards":1,"delayed_unassigned_shards":0,"number_of_pending_tasks":0,"number_of_in_flight_fetch":0,"task_max_waiting_in_queue_millis":0,"active_shards_percent_as_number":95.0}

2

I had the same issue, I believe that the logstash_system user is buggered up. Create a new user in elasticsearch and give it the proper write access to the index patterns you want it to be able to write to.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.