Logstash2.0 can't write to ES2.0 with Shield

robertranjan · November 17, 2015, 9:56pm

I'm trying to send events from LS2.0 to ES2.0+Shield2.0 using basic http authentication but failing because of authentication issue.

OS: centOS 6
ES, LS and Kibana 2.0

Tried solution at http://stackoverflow.com/questions/30781346/logstash-not-writing-to-elasticsearch-with-shield but did not help in CentOS6.

[root@log-receiver logstash]# /opt/logstash/bin/logstash -f /opt/configs/instance_1/logstash-conf.json

Default settings used: Filter workers: 2
Date filter now use BCP47 format for locale, replacing underscore with dash {:level=>:warn}
Failed to install template: [401] {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401} {:level=>:error}
Logstash startup completed

#Everything was working until installing shield. I know I'm missing something but can't find out. Can some expert help to resolve this issue, please?

#Output of logstash-conf.json:

output {
  elasticsearch {
	#protocol => "transport"
	hosts => [ "es1.domain:9200" ]
	keystore => "/opt/keys/ops-cert.pem"
	keystore_password => "password_in_plainText"
	user	=> "logstash"
	password	=>	"password_in_plainText"
	#password	=>	"password_copied_from_es/shielConfig/users"
  }
}

At elasticsearch server:

[root@es1 shield]# /usr/share/elasticsearch/bin/shield/esusers roles logstash
logstash : logstash,admin

logstash user role from /etc/elasticsearch/shield/roles.yml
---snip--

logstash:
  cluster: indices:admin/template/get, indices:admin/template/put
  indices:
    'logstash-*':
      privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index, cluster:monitor/state

skearns · November 18, 2015, 7:08am

Hi Robert,

Were you able to resolve this? It looks like you want Logstash to authenticate via PKI, but it's possible that you have not yet configured the PKI realm in Shield/Elasticsearch.yml.

Thanks,
Steve

robertranjan · November 18, 2015, 7:11am

Thanks for your response Steve.

I couldn't resolve this issue. I didn't configured PKI realm in elastisearch.yml. I'm trying to use basic http auth.

jaymode · November 18, 2015, 2:45pm

Hi Robert,

Can you use the logstash user from the command line or a browser to access the cluster?

robertranjan · November 18, 2015, 3:16pm

I can access as below:

USER@imac: python>curl -u logstash -XGET es1.DOMAIN:9200/
Enter host password for user 'logstash':
{
  "name" : "es1.DOMAIN",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.0.0",
    "build_hash" : "de54438d6af8f9340d50c5c786151783ce7d6be5",
    "build_timestamp" : "2015-10-22T08:09:48Z",
    "build_snapshot" : false,
    "lucene_version" : "5.2.1"
  },
  "tagline" : "You Know, for Search"
}
USER@imac: python>

When I try to get the ../_cat/health or _cat/indices it fails.

RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/health
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/indices
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$

suyograo · November 18, 2015, 5:04pm

@robertranjan do you have "@" symbol in password for Shield user?

robertranjan · November 18, 2015, 6:38pm

No. I do not.

Actually I had @ symbol; I removed it after reading below thread but didn't help.
https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/232

robertranjan · December 7, 2015, 9:59pm

This issue got resolved by re-installing ES2/Shield.

Please go ahead and close this ticket.

Thanks ALL for your help.