Unable to update ui setting request failed with status code: 429

Hello guys,

The Scinario:

I have 4 dockers, Elasticsearch, kibana, filebeat, dvwa.
So basically, I should attack dvwa and see the apache logs on kibana dashboard.

I use Ubuntu server 20.4 to set up the docker on it and it's a virtual machine on vbox
for the attacking, I use Kali Linux.

What happened before the problem:

after I set up the Ubuntu server on virtual box (vbox),
I used a similar installation script but has some more apt update and docker installation commands and everything it was working fine, I can access my Elasticsearch, I can see the Access and error logs ECS - Filebeat Apache module dashboard.

Then I used this removing script:

#!/usr/bin/env bash
set -e

echo -e "\e[34m {+} Stop and remove all containers \e[0m"
docker stop elasticsearch kibana dvwa filebeat
docker rm elasticsearch kibana dvwa filebeat


echo -e "\e[34m {+} Remove all images \e[0m"
docker image rm vulnerables/web-dvwa docker.elastic.co/beats/filebeat:7.15.2 docker.elastic.co/kibana/kibana:7.15.2 docker.elastic.co/elasticsearch/elasticsearch:7.15.2 -f

echo -e "\e[36m The End\e[0m"

After the removing I powered off the vm and I started again, and I used the next installation script.

The installation:

I used this script to install the images and start the containers and link everything and configure it.

NOTE: The configuration file (filebeat.yml) in the configure the filebeat step, it's already on the system so it's not missed.

echo -e "\e[34m {+} Wait for 3 minutes\e[0m"
sleep 180

echo -e "\e[34m {+} Start Filebeat and connect it with Kibana\e[0m"
docker run -it \
--link elasticsearch --link kibana \
docker.elastic.co/beats/filebeat:7.15.2 \
setup -E setup.kibana.host=kibana:5601 \
-E output.elasticsearch.hosts=["elasticsearch:9200"]

echo -e "\e[34m {+} Wait for 3 minutes\e[0m"
sleep 180

echo -e "\e[34m {+} Configure the Filebeat with the filebeat.yml file\e[0m"
docker run -d \
  --link elasticsearch --link kibana \
  --name=filebeat \
  --user=root \
  --volume="$(pwd)/filebeat.docker.yml:/usr/share/filebeat/filebeat.yml:ro" \
  --volume="/var/lib/docker/containers:/var/lib/docker/containers:ro" \
  --volume="/var/run/docker.sock:/var/run/docker.sock:ro" \
  docker.elastic.co/beats/filebeat:7.15.2 filebeat -e -strict.perms=false \
  -E output.elasticsearch.hosts=["elasticsearch:9200"]
  
echo -e "\e[34m {+} Wait for 3 minutes\e[0m"
sleep 180

echo -e "\e[34m {+} Customize the configuration and start DVWA docker\e[0m"
docker run \
  --label co.elastic.logs/module=apache2 \
  --label co.elastic.logs/fileset.stdout=access \
  --label co.elastic.logs/fileset.stderr=error \
  --label co.elastic.metrics/module=apache \
  --label co.elastic.metrics/metricsets=status \
  --label co.elastic.metrics/hosts='${data.host}:${data.port}' \
  --detach=true \
  --name dvwa \
  -p 80:80 \
  vulnerables/web-dvwa

echo -e "\e[34m {+} Check the running containers\e[0m"
docker ps

echo -e "\e[36m The End\e[0m"

After this, I can see the Overview under Security and I can see the events there,
but when I try to go to "Access and error logs ECS - Filebeat Apache module dashboard."
All I see is 'Error' all around and
'Unable to update UI Settings
Request failed with status code: 429'

What I tried to do?

I already know that code 429 should be something related to the disk usage exceeded flood-stage watermark, index has read-only-allow-delete block, but I didn't see this error.
Also, I tried to check the cluster and everything and is not really that obvious which one I should delete or what I should exactly.

I hope you can help me guys and I hope I made this clear as possible.
Thanks.

Welcome to our community! :smiley: We aren't all guys though :slight_smile:

What does a request to the Elasticsearch IP on port 9200 show you?

Sorry, I didn't understand what you mean.
Can you please explain more?

Can you curl elasticsearch-IP-or-hostname:9200

Hi,
Thanks for explaning.

This is the results when I curl Elasticsearch:9200

  "name" : "f160eca8736b",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "x9oLAF4YTQiUp3iieH5d8A",
  "version" : {
    "number" : "7.15.2",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "93d5a7f6192e8a1a12e154a2b81bf6fa7309da0c",
    "build_date" : "2021-11-04T14:04:42.515624022Z",
    "build_snapshot" : false,
    "lucene_version" : "8.9.0",
    "minimum_wire_compatibility_version" : "6.8.0",
    "minimum_index_compatibility_version" : "6.0.0-beta1"
  },
  "tagline" : "You Know, for Search"
}

Ok, a 429 usually means you are overloading Elasticsearch.

Is there anything in the Elasticsearch logs at the time of this Kibana issue?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.