User not found in cache for realm

Elastic Stack Elasticsearch
#1

I am trying to figure out why a native user is getting a 401 from a remote server. I have configured Filebeat to authenticate via native (the only realm I have set up), and I've created the user with a custom role (as shown below). When I try to run Filebeat on the remote server, it returns a 401 with the following errors logged in Elasticsearch:

[2017-10-26T07:54:19,831][DEBUG][o.e.x.s.a.e.ReservedRealm] [EMCTS499] user [cpe_filebeat] not found in cache for realm [reserved], proceeding with normal authentication
[2017-10-26T07:54:19,831][DEBUG][o.e.x.s.a.e.NativeRealm  ] [EMCTS499] user [cpe_filebeat] not found in cache for realm [native1], proceeding with normal authentication
[2017-10-26T07:54:19,837][DEBUG][r.suppressed             ] path: /, params: {}
org.elasticsearch.ElasticsearchSecurityException: unable to authenticate user [cpe_filebeat] for REST request [/]

However, if I make a call to the API from the host, it works without any errors. This is what I used to create the role (I use Postman, since it's hosted on a Windows box):

POST {{ES}}/_xpack/security/role/cpe_filebeat_writer
{
	"cluster": ["manage_index_templates", "monitor"],
	"indices": [
		{
			"names": [ "httpderrorlog-test-*", "httplog-test-*"],
			"privileges": ["read", "write", "create_index"]
		}
	]
}

And this is the user I created:

POST {{ES}}/_xpack/security/user/cpe-filebeat
{
	"password" : "redacted",
	"roles" : "cpe_filebeat_writer",
	"full_name" : "Indexing Test Account",
	"enabled" : true
}

Here's the x-pack config from elasticsearch.yml

xpack.security.enabled: true
xpack.security.http.filter.enabled: true
xpack.security.http.filter.allow: [ "IP ranges go here" ]
xpack.security.http.filter.deny: _all
xpack.security.transport.filter.enabled: true
xpack.security.transport.filter.allow: "IP range goes here"
xpack.security.transport.filter.deny: _all
xpack.security.authc.realms:
  native1:
    type: native
    order: 0

And here's the filebeat.yml config that's running on the remote server:

filebeat.prospectors:

- input_type: log
  paths:
    - /var/log/httpd/error_log

- input_type: log
  paths:
    - /usr/local/redacted/logs/HttpLog
  include_lines: ["Response"]

output.elasticsearch:
  hosts: ["IP with HTTP port goes here"]

  protocol: "http"
  username: "cpe_filebeat"
  password: "redacted"

  index: "httpderrorlog-test-%{+yyyy.MM.dd}"
  indices:
    - index: "httplog-test-%{+yyyy.MM.dd}"
      when.contains:
        message: "Response"

What am I missing?

#2

Hmm in one place you use a - and a _ in the other. Is it cpe-filebeat or cpe_filebeat?

#3

It's always a typo :-/ Thanks for catching that. It's definitely supposed to be a hyphen, not an underscore. As soon as I fixed that, everything started to flow.

#4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.