User credentials cannot be used for local connections

Adriann · September 7, 2020, 10:04am

Hello,

I want to use WMI logstash plugin to download information from hosts. I have logstash 7.9.0 installed on Windows 2019 Terminal Server.

When I use below config

input {
  wmi {
    query => "win32_bios"
    host => "ip"
    user => "domain\user"
    password => "password"
  }
}


output {
 file {
   path => "C:/logstash-7.9.0/test.log"
 }
}

I got bellow error.

[2020-09-07T11:47:52,064][INFO ][logstash.inputs.wmi      ][main] Registering wmi input {:query=>"win32_bios"}
[2020-09-07T11:47:52,634][DEBUG][logstash.outputs.file    ][main] Starting flush cycle
[2020-09-07T11:47:52,650][DEBUG][logstash.instrument.periodicpoller.cgroup] One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu
[2020-09-07T11:47:53,066][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ParNew"}
[2020-09-07T11:47:53,066][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ConcurrentMarkSweep"}
[2020-09-07T11:47:54,675][DEBUG][logstash.outputs.file    ][main] Starting flush cycle
[2020-09-07T11:47:56,690][DEBUG][logstash.outputs.file    ][main] Starting flush cycle
[2020-09-07T11:47:57,691][DEBUG][logstash.instrument.periodicpoller.cgroup] One or more required cgroup files or directories not found: /proc/self/cgroup, /sys/fs/cgroup/cpuacct, /sys/fs/cgroup/cpu
[2020-09-07T11:47:57,808][DEBUG][logstash.javapipeline    ][main] Shutdown waiting for worker thread {:pipeline_id=>"main", :thread=>"#<Thread:0x1cb38770 run>"}
[2020-09-07T11:47:57,921][DEBUG][logstash.javapipeline    ][main] Shutdown waiting for worker thread {:pipeline_id=>"main", :thread=>"#<Thread:0x51a1442e sleep>"}
[2020-09-07T11:47:57,921][DEBUG][logstash.javapipeline    ][main] Shutdown waiting for worker thread {:pipeline_id=>"main", :thread=>"#<Thread:0x32322d1a dead>"}
[2020-09-07T11:47:57,921][DEBUG][logstash.javapipeline    ][main] Shutdown waiting for worker thread {:pipeline_id=>"main", :thread=>"#<Thread:0x39b9db84 dead>"}
[2020-09-07T11:47:57,937][DEBUG][logstash.outputs.file    ][main] Closing {:plugin=>"LogStash::Outputs::File"}
[2020-09-07T11:47:58,082][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ParNew"}
[2020-09-07T11:47:58,082][DEBUG][logstash.instrument.periodicpoller.jvm] collector name {:name=>"ConcurrentMarkSweep"}
[2020-09-07T11:47:58,695][DEBUG][logstash.outputs.file    ][main] Close: closing files
[2020-09-07T11:47:58,701][DEBUG][logstash.pluginmetadata  ][main] Removing metadata for plugin 18a58fb26a71ee4057843a81c0a971abf3cdb3e8be94ea96c9cd8782c4912f3f
[2020-09-07T11:47:58,706][DEBUG][logstash.javapipeline    ][main] Pipeline terminated by worker error {:pipeline_id=>"main", :exception=>org.racob.com.ComFailException: Invoke of: ConnectServer
Source: SWbemLocator
Description: User credentials cannot be used for local connections
, :backtrace=>["org.racob.com.Dispatch.invokev(Native Method)", "org.racob.com.Dispatch.invokev(Dispatch.java:243)", "org.racob.com.Dispatch.callN(Dispatch.java:187)", "org.jruby.ext.win32ole.RubyWIN32OLE.invokeMethodOrGet(RubyWIN32OLE.java:205)", "org.jruby.ext.win32ole.RubyWIN32OLE.method_missing(RubyWIN32OLE.java:113)", "org.jruby.ext.win32ole.RubyWIN32OLE$INVOKER$i$0$0$method_missing.call(RubyWIN32OLE$INVOKER$i$0$0$method_missing.gen)", "org.jruby.internal.runtime.methods.JavaMethod$JavaMethodN.call(JavaMethod.java:837)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:205)", "C_3a_.logstash_minus_7_dot_9_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_wmi_minus_3_dot_0_dot_4_minus_java.lib.logstash.inputs.wmi.RUBY$method$register$0(C:/logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-wmi-3.0.4-java/lib/logstash/inputs/wmi.rb:65)", "C_3a_.logstash_minus_7_dot_9_dot_0.vendor.bundle.jruby.$2_dot_5_dot_0.gems.logstash_minus_input_minus_wmi_minus_3_dot_0_dot_4_minus_java.lib.logstash.inputs.wmi.RUBY$method$register$0$__VARARGS__(C:/logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-wmi-3.0.4-java/lib/logstash/inputs/wmi.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$block$register_plugins$1(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:226)", "org.jruby.runtime.CompiledIRBlockBody.yieldDirect(CompiledIRBlockBody.java:148)", "org.jruby.runtime.BlockBody.yield(BlockBody.java:106)", "org.jruby.runtime.Block.yield(Block.java:184)", "org.jruby.RubyArray.each(RubyArray.java:1809)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$register_plugins$0(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:225)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$register_plugins$0$__VARARGS__(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_inputs$0(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:359)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_inputs$0$__VARARGS__(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_workers$0(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:309)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$start_workers$0$__VARARGS__(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$run$0(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:183)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$method$run$0$__VARARGS__(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb)", "org.jruby.internal.runtime.methods.CompiledIRMethod.call(CompiledIRMethod.java:82)", "org.jruby.internal.runtime.methods.MixedModeIRMethod.call(MixedModeIRMethod.java:70)", "org.jruby.ir.targets.InvokeSite.invoke(InvokeSite.java:207)", "C_3a_.logstash_minus_7_dot_9_dot_0.logstash_minus_core.lib.logstash.java_pipeline.RUBY$block$start$1(C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:134)", "org.jruby.runtime.CompiledIRBlockBody.callDirect(CompiledIRBlockBody.java:138)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:58)", "org.jruby.runtime.IRBlockBody.call(IRBlockBody.java:52)", "org.jruby.runtime.Block.call(Block.java:139)", "org.jruby.RubyProc.call(RubyProc.java:318)", "org.jruby.internal.runtime.RubyRunnable.run(RubyRunnable.java:105)", "java.lang.Thread.run(Thread.java:748)"], "pipeline.sources"=>["C:/logstash-7.9.0/config/conf/WindowsWMI.conf"], :thread=>"#<Thread:0x121bd546 run>"}
[2020-09-07T11:47:58,751][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2020-09-07T11:47:58,814][DEBUG][logstash.agent           ] Starting puma
[2020-09-07T11:47:58,814][DEBUG][logstash.instrument.periodicpoller.os] Stopping

In the log stack, I can read "User credentials cannot be used for local connections"

Which is strange because it is not a local connection.
When I use bellow PowerShell command with the same command, query, host, and credentials. I get a response with data.

Why in the logs logstash thinks that It's a "local connection"?

Adriann · September 7, 2020, 1:36pm

I think this "undefined method" is the troublemaker.

[2020-09-07T16:09:26,395][DEBUG][logstash.javapipeline    ][main] Pipeline terminated by worker error {:pipeline_id=>"main", :exception=>#<NoMethodError: undefined method `value' for nil:NilClass>, :backtrace=>["C:/logstash-7.9.0/vendor/bundle/jruby/2.5.0/gems/logstash-input-wmi-3.0.4-java/lib/logstash/inputs/wmi.rb:65:in `register'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:226:in `block in register_plugins'", "org/jruby/RubyArray.java:1809:in `each'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:225:in `register_plugins'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:359:in `start_inputs'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:309:in `start_workers'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:183:in `run'", "C:/logstash-7.9.0/logstash-core/lib/logstash/java_pipeline.rb:134:in `block in start'"], "pipeline.sources"=>["C:/logstash-7.9.0/config/conf/WindowsWMI.conf"], :thread=>"#<Thread:0x28d01125 run>"}
[2020-09-07T16:09:26,511][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}

Adriann · September 13, 2020, 5:44pm

I have made the github issue.

system · October 11, 2020, 5:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.