Unable to modify roles or see logstash indices


#1

Hi all,

I'm hoping someone can help, and if so that others who have this issue find this topic in the future.

I desperately need help finalizing the x-pack installation / security.

I followed all the online documentation for 6.2.4 and got ELK installed and working (on Ubuntu Server 18.04) as far as logstash accepting syslog input on port 5514 and beats on 5044, with output going to elasticsearch on 9200. Kibana is also defined in the logstash.yml I believe for dashboards. I was able to see the logstash-* index and sift through logs coming from syslog, filebeat, and winlogbeat. Awesome stuff.

Next up was X-Pack for some security and AD authentication for kibana. Here's where I started to have trouble, in general but also with the documentation and (probably more-so) my overall understanding.

I landed on the usual "installing x-pack" table of contents doc and began trying to install x-pack in the order dictated. The plugin install scripts wouldn't work like they did for other plugins, so I used wget to grab the zip and installed that way.

I was able to run the "setup-passwords interactive" step. This is nearing where it all started to come apart at the seams... I then proceeded to install x-pack for kibana and logstash and update their respective YML files accordingly as explained in these two links:

Installing X-Pack in Kibana
Installing X-Pack in Logstash

It's important to note that I noticed #6 of the first link "To verify X-Pack installation, point your web browser at http://localhost:5601/ to open Kibana. You should be prompted to log in. You can use any Elasticsearch user that has the kibana_user role. The built-in kibana user, however, should be used only internally by the Kibana server. For more information, see Built-in Roles." I think: That's OK, I'll verify shortly; I don't have any users yet as I only just installed x-pack, and I don't know how to add users or assign roles to them yet, nor does the link at the end of this #6 explain how that's done. On to #7 installing x-pack for Logstash.

In following the second link I was done fairly quick, but neither #6 for "Configure and start logstash" or the next page link in the bottom right for "X-pack settings in logstash" mentioned needing user => "username" and password => "password" entries in my logstash output (it took several google searches, each more clever than the last to figure that out - sorry, still new to all this).

So I eventually found this page: Configuring Security in Logstash

If I log into kibana using the only user so far, "kibana" as created by "setup-passwords interactive" I don't have permissions to add users or assign roles. Further reading after more google searches explained why and that's ok, (it's a system account not a user or admin account) - so I tried to run the POST commands as provided on this most recent link above.

I needed to install software in order to have the POST command, and it still didn't work. I eventually figured out I could hit Ctrl-D after the text shown to send it, but it just returns that it was a bad URL. I tried to pass localhost:9200 or anything I could think of, to no avail.

Careful reading further down under "Configuring Credentials for Logstash Monitoring" alerted me to the fact that the logstash_system is not what i should have in the output either - that's only for x-pack's monitoring of the logstash service.

So that's where I'm stuck. It appears one should not attempt to use the built-in system users of logstash_system or kibana for anything in "user space", which makes sense. How do I send these POST and PUT commands on my Ubuntu server to create roles and users (and assign them roles) for kibana as well as logstash? The only other place I saw referenced in the docs was within the interface (but again the only / system kibana user doesn't have rights).

Many thanks for hearing me out. I wanted to provide as much info as I could in case it helps others also struggling with the doc or not finding a solution online, or in case it helps future documentation. I think ELK is game-changing and hope to contribute someday in my own small way when I have a better understanding of it!


Logstash connection to Elastic search
#2

Quick follow-up question: Once I can create a kibana user and logstash user, do their usernames/passwords need to be defined (in plain text?) in every the filebeat.yml and winlogbeat.yml on each client sending logs? My guess is not the logstash one seeing as that will be defined in the logstash.yml on the server accepting the beats, but probably the kibana one for dashboards? Thanks again!


#3

Alright party people. Looks like you can use curl to send the post commands; however, why bother? Digging through the following link:

Built-in Users

I found this all-important line about half-way down: You must supply the elastic user and its bootstrap password to log into Kibana or run the API. (bold added for emphasis). Turns out you can ignore having to use curl and type a bunch of long (albeit not overly complicated) commands and simply use the elastic user you've already created a password for to log into Kibana and create the logstash_writer role/permissions and corresponding logstash_internal user with said role.

For the follow-up question, now that I have it all working, it looks like I do not need any plain-text passwords on the clients!

I hope this helps someone in the future. Cheers.


(CJ Cenizal) #4

Fantastic! Thank you so much for posting such a detailed question and for sharing the solution. I'm so glad you were able to work things out.

Best,
CJ


#5

My pleasure - thanks for incredible open source project! I'm a big believer in team work.

Quick correction on the plain-text password on the clients - I DO need the following in any filebeat.yml and/or winlogbeat.yml as appropriate, under "setup.kibana" for dashboards:

username: "kibana_dashboard_user"
password: "k!banaD@$#"

(beware the spacing as always in YAML files!). The above is a user I created in Kibana and assigned the "kibana_user" role. FYI Cheers


(system) #6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.