Trouble with AuthenticationService between es nodes

Elastic Stack Elasticsearch
1

I have two server.
First server:
I fresh install es 5.6.2. with next config:

    cluster.name: rsl-es-clucter
    node.name: es-vm01.siem-node1-master
    path.data: /opt/elasticsearch/es-vm01.siem-node1-master
    network.host: 0.0.0.0
    discovery.zen.ping.unicast.hosts: ["10.63.1.14"]
    bootstrap.memory_lock: true
    bootstrap.system_call_filter: false
    node.master: true
    node.data: false
    node.ingest: true

Second server:
I fresh install es 5.6.2. with next config:

cluster.name: rsl-es-clucter
node.name: es-srv02.siem-node1-data
path.data: /opt/2tb/elasticsearch/es-srv02.siem-node1-data
network.host: 0.0.0.0
bootstrap.memory_lock: true
bootstrap.system_call_filter: false
node.master: false
node.data: true
node.ingest: true

I started es in second server. after then I started es on firs server. And thats work good.
Later I installed x-pack from file on both servers:
/usr/share/elasticsearch/bin/elasticsearch-plugin install file:///tmp/x-pack-5.6.2.zip

And after that I restarted es on second server, and then i restarted es on first server.
After that I open es log on second server:

And first server:

I don't understand why I have problem with [o.e.x.s.a.AuthenticationService] .
Who can help me?

2

Please don't link out to Pastebin services. Just include the relevant log entries in you post.

3

I did, but the limit on the number of characters in one message made me use pastebin
Logs from second server:

[2017-10-04T12:43:07,006][INFO ][o.e.n.Node ] [es-srv02.siem-node1-data] starting ...
[2017-10-04T12:43:07,500][INFO ][o.e.t.TransportService ] [es-srv02.siem-node1-data] publish_address {10.63.1.14:9300}, bound_addresses {0.0.0.0:9300}
[2017-10-04T12:43:07,510][INFO ][o.e.b.BootstrapChecks ] [es-srv02.siem-node1-data] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-10-04T12:43:10,539][WARN ][o.e.d.z.ZenDiscovery ] [es-srv02.siem-node1-data] not enough master nodes discovered during pinging (found [], but needed [-1]), pinging again
[2017-10-04T12:43:30,415][INFO ][o.e.c.s.ClusterService ] [es-srv02.siem-node1-data] detected_master {es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true}, added {{es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true},}, reason: zen-disco-receive(from master [master {es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true} committed version [1]])
[2017-10-04T12:43:30,419][INFO ][o.e.n.Node ] [es-srv02.siem-node1-data] started
[2017-10-04T12:43:31,405][INFO ][o.e.x.m.e.l.LocalExporter] waiting for elected master node [{es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true}] to setup local exporter [default_local] (does it have x-pack installed?)
[2017-10-04T12:43:31,476][INFO ][o.e.x.m.e.l.LocalExporter] waiting for elected master node [{es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true}] to setup local exporter [default_local] (does it have x-pack installed?)
[2017-10-04T12:43:31,531][INFO ][o.e.x.m.e.l.LocalExporter] waiting for elected master node [{es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true}] to setup local exporter [default_local] (does it have x-pack installed?)
[2017-10-04T12:43:31,588][INFO ][o.e.x.m.e.l.LocalExporter] waiting for elected master node [{es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=true}] to setup local exporter [default_local] (does it have x-pack installed?)

Logs from first server:

[2017-10-04T12:43:26,934][INFO ][o.e.n.Node ] [es-vm01.siem-node1-master] starting ...
[2017-10-04T12:43:27,261][INFO ][o.e.t.TransportService ] [es-vm01.siem-node1-master] publish_address {10.63.1.11:9300}, bound_addresses {0.0.0.0:9300}
[2017-10-04T12:43:27,280][INFO ][o.e.b.BootstrapChecks ] [es-vm01.siem-node1-master] bound or publishing to a non-loopback or non-link-local address, enforcing bootstrap checks
[2017-10-04T12:43:30,380][INFO ][o.e.c.s.ClusterService ] [es-vm01.siem-node1-master] new_master {es-vm01.siem-node1-master}{POyMXH9aSm2FHu3d9sSoLw}{H1tZqqE8RsG4z0-JPOBqNw}{10.63.1.11}{10.63.1.11:9300}{ml.max_open_jobs=10, ml.enabled=t
rue}, added {{es-srv02.siem-node1-data}{mmfPZtC4QPmoORpIExxMCQ}{1xIEAD9OQ7iKCKTrKhDkxg}{10.63.1.14}{10.63.1.14:9300}{ml.max_open_jobs=10, ml.enabled=true},}, reason: zen-disco-elected-as-master ([1] nodes joined)[{es-srv02.siem-node1-dat
a}{mmfPZtC4QPmoORpIExxMCQ}{1xIEAD9OQ7iKCKTrKhDkxg}{10.63.1.14}{10.63.1.14:9300}{ml.max_open_jobs=10, ml.enabled=true}]
[2017-10-04T12:43:30,480][INFO ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [es-vm01.siem-node1-master] publish_address {10.63.1.11:9200}, bound_addresses {0.0.0.0:9200}
[2017-10-04T12:43:30,480][INFO ][o.e.n.Node ] [es-vm01.siem-node1-master] started
[2017-10-04T12:43:31,136][INFO ][o.e.m.j.JvmGcMonitorService] [es-vm01.siem-node1-master] [gc][4] overhead, spent [297ms] collecting in the last [1.1s]
[2017-10-04T12:43:31,353][INFO ][o.e.g.GatewayService ] [es-vm01.siem-node1-master] recovered [1] indices into cluster_state
[2017-10-04T12:43:31,441][INFO ][o.e.x.m.MachineLearningTemplateRegistry] [es-vm01.siem-node1-master] successfully created .ml-meta index template
[2017-10-04T12:43:31,501][INFO ][o.e.x.m.MachineLearningTemplateRegistry] [es-vm01.siem-node1-master] successfully created .ml-state index template
[2017-10-04T12:43:31,553][INFO ][o.e.x.m.MachineLearningTemplateRegistry] [es-vm01.siem-node1-master] successfully created .ml-notifications index template
[2017-10-04T12:43:31,700][INFO ][o.e.x.m.MachineLearningTemplateRegistry] [es-vm01.siem-node1-master] successfully created .ml-anomalies- index template
[2017-10-04T12:43:32,278][INFO ][o.e.c.r.a.AllocationService] [es-vm01.siem-node1-master] Cluster health status changed from [RED] to [YELLOW] (reason: [shards started [[.kibana][0]] ...]).
[2017-10-04T12:43:32,542][INFO ][o.e.l.LicenseService ] [es-vm01.siem-node1-master] license [03f49c61-75da-4cc9-8dbf-963af0389a61] mode [trial] - valid
[2017-10-04T12:43:32,708][WARN ][o.e.x.s.a.AuthenticationService] [es-vm01.siem-node1-master] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate u
ser [elastic]]
[2017-10-04T12:43:37,145][INFO ][o.e.c.m.MetaDataCreateIndexService] [es-vm01.siem-node1-master] [.monitoring-es-6-2017.10.04] creating index, cause [auto(bulk api)], templates [.monitoring-es], shards [1]/[1], mappings [doc]
[2017-10-04T12:43:37,462][INFO ][o.e.c.m.MetaDataCreateIndexService] [es-vm01.siem-node1-master] [.watches] creating index, cause [auto(bulk api)], templates [watches], shards [1]/[1], mappings [watch]
[2017-10-04T12:43:37,570][INFO ][o.e.c.m.MetaDataMappingService] [es-vm01.siem-node1-master] [.watches/xOs4JzicSweMQYw5N2UNug] update_mapping [watch]
[2017-10-04T12:43:37,879][WARN ][o.e.x.s.a.AuthenticationService] [es-vm01.siem-node1-master] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate user [elastic]]
[2017-10-04T12:43:43,098][WARN ][o.e.x.s.a.AuthenticationService] [es-vm01.siem-node1-master] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate user [elastic]]
[2017-10-04T12:43:48,320][WARN ][o.e.x.s.a.AuthenticationService] [es-vm01.siem-node1-master] An error occurred while attempting to authenticate [elastic] against realm [reserved] - ElasticsearchSecurityException[failed to authenticate user [elastic]]

4

It looks like you have something that is trying to login to the server using an incorrect password for the elastic user.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.