Logstash2.0 can't write to ES2.0 with Shield

I'm trying to send events from LS2.0 to ES2.0+Shield2.0 using basic http authentication but failing because of authentication issue.

OS: centOS 6
ES, LS and Kibana 2.0

Tried solution at http://stackoverflow.com/questions/30781346/logstash-not-writing-to-elasticsearch-with-shield but did not help in CentOS6.

[root@log-receiver logstash]# /opt/logstash/bin/logstash -f /opt/configs/instance_1/logstash-conf.json

Default settings used: Filter workers: 2
Date filter now use BCP47 format for locale, replacing underscore with dash {:level=>:warn}
Failed to install template: [401] {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401} {:level=>:error}
Logstash startup completed

#Everything was working until installing shield. I know I'm missing something but can't find out. Can some expert help to resolve this issue, please?

#Output of logstash-conf.json:

output {
  elasticsearch {
	#protocol => "transport"
	hosts => [ "es1.domain:9200" ]
	keystore => "/opt/keys/ops-cert.pem"
	keystore_password => "password_in_plainText"
	user	=> "logstash"
	password	=>	"password_in_plainText"
	#password	=>	"password_copied_from_es/shielConfig/users"

At elasticsearch server:

[root@es1 shield]# /usr/share/elasticsearch/bin/shield/esusers roles logstash
logstash : logstash,admin

logstash user role from /etc/elasticsearch/shield/roles.yml

  cluster: indices:admin/template/get, indices:admin/template/put
      privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index, cluster:monitor/state

Hi Robert,

Were you able to resolve this? It looks like you want Logstash to authenticate via PKI, but it's possible that you have not yet configured the PKI realm in Shield/Elasticsearch.yml.


Thanks for your response Steve.

I couldn't resolve this issue. I didn't configured PKI realm in elastisearch.yml. I'm trying to use basic http auth.

Hi Robert,

Can you use the logstash user from the command line or a browser to access the cluster?

I can access as below:

USER@imac: python>curl -u logstash -XGET es1.DOMAIN:9200/
Enter host password for user 'logstash':
  "name" : "es1.DOMAIN",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.0.0",
    "build_hash" : "de54438d6af8f9340d50c5c786151783ce7d6be5",
    "build_timestamp" : "2015-10-22T08:09:48Z",
    "build_snapshot" : false,
    "lucene_version" : "5.2.1"
  "tagline" : "You Know, for Search"
USER@imac: python>

When I try to get the ../_cat/health or _cat/indices it fails.

RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/health
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/indices
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$

@robertranjan do you have "@" symbol in password for Shield user?

No. I do not.

Actually I had @ symbol; I removed it after reading below thread but didn't help.

This issue got resolved by re-installing ES2/Shield.

Please go ahead and close this ticket.

Thanks ALL for your help.