i have the following error in the Logstash log file:
error_message=>"[403] {"error":{"root_cause":[{"type":"security_exception","reason":"action [indices:data/write/bulk] is unauthorized for user [logstash]"}]
That is very odd that the admin role did not allow the user to write into the indices. Do you think you could enable auditing and grab the access denied entry? This should contain more information about the failure to help diagnose it.
{:timestamp=>"2016-04-27T14:25:52.328000+0200", :message=>"[401] {"error":{"root_cause":[{"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_bulk]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}}],"type":"security_exception","reason":"unable to authenticate user [logstash] for REST request [/_bulk]","header":{"WWW-Authenticate":"Basic realm=\"shield\""}},"status":401}", ...
This appears to be a different issue. It appears as though the password may not be correct for the logstash user on this instance of logstash? I am thinking that you should see some authentication failure audit logs for that as well.
This morning the errors reappeared, and they appeared on each instance.
So i try to change the password of my logstash users on each elasticsearch instance to be sure to have the same password as the one entered in the logstash conf file.
And the error still appears.
I try to restart my Elasticsearch and logstash instances but nothing changed.
And all i have in my access.log file, is access_granted messages...
This is very odd. What versions of logstash and elasticsearch/shield are you using? The logstash user is a file based user (or esusers) correct? If so, can you validate that the user's password is the same on each node and that the roles files are in sync on each node?
It's my fault , logstash the user was not created on some of my two knots , I had forgotten to recreate it after deleting . Sorry about that. I will wait until tomorrow to see if no error is returned.
Hopefully it does not return. You may want to consider moving to 2.3 so you can use the users API and avoid dealing with keeping these users in sync manually.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.