Logstash2.0 can't write to ES2.0 with Shield

security

(Robert Thanulingam) #1

I'm trying to send events from LS2.0 to ES2.0+Shield2.0 using basic http authentication but failing because of authentication issue.

OS: centOS 6
ES, LS and Kibana 2.0

Tried solution at http://stackoverflow.com/questions/30781346/logstash-not-writing-to-elasticsearch-with-shield but did not help in CentOS6.

[root@log-receiver logstash]# /opt/logstash/bin/logstash -f /opt/configs/instance_1/logstash-conf.json

Default settings used: Filter workers: 2
Date filter now use BCP47 format for locale, replacing underscore with dash {:level=>:warn}
Failed to install template: [401] {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_template/logstash]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401} {:level=>:error}
Logstash startup completed

#Everything was working until installing shield. I know I'm missing something but can't find out. Can some expert help to resolve this issue, please?

#Output of logstash-conf.json:

output {
  elasticsearch {
	#protocol => "transport"
	hosts => [ "es1.domain:9200" ]
	keystore => "/opt/keys/ops-cert.pem"
	keystore_password => "password_in_plainText"
	user	=> "logstash"
	password	=>	"password_in_plainText"
	#password	=>	"password_copied_from_es/shielConfig/users"
  }
}

At elasticsearch server:

[root@es1 shield]# /usr/share/elasticsearch/bin/shield/esusers roles logstash
logstash : logstash,admin

logstash user role from /etc/elasticsearch/shield/roles.yml
---snip--

logstash:
  cluster: indices:admin/template/get, indices:admin/template/put
  indices:
    'logstash-*':
      privileges: indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index, cluster:monitor/state

(Steve Kearns) #3

Hi Robert,

Were you able to resolve this? It looks like you want Logstash to authenticate via PKI, but it's possible that you have not yet configured the PKI realm in Shield/Elasticsearch.yml.

Thanks,
Steve


(Robert Thanulingam) #4

Thanks for your response Steve.

I couldn't resolve this issue. I didn't configured PKI realm in elastisearch.yml. I'm trying to use basic http auth.


(Jay Modi) #5

Hi Robert,

Can you use the logstash user from the command line or a browser to access the cluster?


(Robert Thanulingam) #6

I can access as below:

USER@imac: python>curl -u logstash -XGET es1.DOMAIN:9200/
Enter host password for user 'logstash':
{
  "name" : "es1.DOMAIN",
  "cluster_name" : "elasticsearch",
  "version" : {
    "number" : "2.0.0",
    "build_hash" : "de54438d6af8f9340d50c5c786151783ce7d6be5",
    "build_timestamp" : "2015-10-22T08:09:48Z",
    "build_snapshot" : false,
    "lucene_version" : "5.2.1"
  },
  "tagline" : "You Know, for Search"
}
USER@imac: python>

When I try to get the ../_cat/health or _cat/indices it fails.

RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/health
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/health] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$
RobertsMBP:ansible rthanulingam$ curl -u logstash http://es1.DOMAIN:9200/_cat/indices
Enter host password for user 'logstash':
{"error":{"root_cause":[{"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"}],"type":"security_exception","reason":"action [cluster:monitor/state] is unauthorized for user [logstash]"},"status":403}
RobertsMBP:ansible rthanulingam$

(Suyog Rao) #7

@robertranjan do you have "@" symbol in password for Shield user?


(Robert Thanulingam) #8

No. I do not.

Actually I had @ symbol; I removed it after reading below thread but didn't help.
https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/232


(Robert Thanulingam) #9

This issue got resolved by re-installing ES2/Shield.

Please go ahead and close this ticket.

Thanks ALL for your help.


(system) #10