I'm hoping someone can help, and if so that others who have this issue find this topic in the future.
I desperately need help finalizing the x-pack installation / security.
I followed all the online documentation for 6.2.4 and got ELK installed and working (on Ubuntu Server 18.04) as far as logstash accepting syslog input on port 5514 and beats on 5044, with output going to elasticsearch on 9200. Kibana is also defined in the logstash.yml I believe for dashboards. I was able to see the logstash-* index and sift through logs coming from syslog, filebeat, and winlogbeat. Awesome stuff.
Next up was X-Pack for some security and AD authentication for kibana. Here's where I started to have trouble, in general but also with the documentation and (probably more-so) my overall understanding.
I landed on the usual "installing x-pack" table of contents doc and began trying to install x-pack in the order dictated. The plugin install scripts wouldn't work like they did for other plugins, so I used wget to grab the zip and installed that way.
I was able to run the "setup-passwords interactive" step. This is nearing where it all started to come apart at the seams... I then proceeded to install x-pack for kibana and logstash and update their respective YML files accordingly as explained in these two links:
It's important to note that I noticed #6 of the first link "To verify X-Pack installation, point your web browser at http://localhost:5601/ to open Kibana. You should be prompted to log in. You can use any Elasticsearch user that has the kibana_user role. The built-in kibana user, however, should be used only internally by the Kibana server. For more information, see Built-in Roles." I think: That's OK, I'll verify shortly; I don't have any users yet as I only just installed x-pack, and I don't know how to add users or assign roles to them yet, nor does the link at the end of this #6 explain how that's done. On to #7 installing x-pack for Logstash.
In following the second link I was done fairly quick, but neither #6 for "Configure and start logstash" or the next page link in the bottom right for "X-pack settings in logstash" mentioned needing user => "username" and password => "password" entries in my logstash output (it took several google searches, each more clever than the last to figure that out - sorry, still new to all this).
So I eventually found this page: Configuring Security in Logstash
If I log into kibana using the only user so far, "kibana" as created by "setup-passwords interactive" I don't have permissions to add users or assign roles. Further reading after more google searches explained why and that's ok, (it's a system account not a user or admin account) - so I tried to run the POST commands as provided on this most recent link above.
I needed to install software in order to have the POST command, and it still didn't work. I eventually figured out I could hit Ctrl-D after the text shown to send it, but it just returns that it was a bad URL. I tried to pass localhost:9200 or anything I could think of, to no avail.
Careful reading further down under "Configuring Credentials for Logstash Monitoring" alerted me to the fact that the logstash_system is not what i should have in the output either - that's only for x-pack's monitoring of the logstash service.
So that's where I'm stuck. It appears one should not attempt to use the built-in system users of logstash_system or kibana for anything in "user space", which makes sense. How do I send these POST and PUT commands on my Ubuntu server to create roles and users (and assign them roles) for kibana as well as logstash? The only other place I saw referenced in the docs was within the interface (but again the only / system kibana user doesn't have rights).
Many thanks for hearing me out. I wanted to provide as much info as I could in case it helps others also struggling with the doc or not finding a solution online, or in case it helps future documentation. I think ELK is game-changing and hope to contribute someday in my own small way when I have a better understanding of it!