X-pack questions on installation

I used systemd to restart elasticsearch and here is the next step to configure user passwords:

root@oc-elk:/usr/share/elasticsearch# bin/x-pack/setup-passwords interactive

Connection failure to: failed: Connection refused (Connection refused)

ERROR: Failed to connect to elasticsearch at Is the URL correct and elasticsearch running?

You should not run Elasticsearch as root. We have an explicit bootstrap check for this reason as you already found out.

This is the suggested way to start Elasticsearch.

You first try to access it on localhost and then on, is this really where Elasticsearch is listening?
This either means that something is blocking access to port 9200 or that Elasticsearch is not running. You should check to see if Elasticsearch started correctly by looking at the logs. You can either check journal entries for errors

sudo journalctl --unit elasticsearch

and/or check your logs at /var/log/Elasticsearch.log for indications of what might have gone wrong.

Also, when you run

sudo netstat -nlp | grep 9200


ps aux | grep elasticsearch

what do you get ?

Finally, you can show us your elasticsearch.yml file so that we can see how you have configured Elasticsearch.

root@oc-elk:/usr/share/elasticsearch# curl -X GET ""
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

elk_user@oc-elk:~$ sudo journalctl --unit elasticsearch
-- Logs begin at Wed 2018-05-02 13:16:07 EDT, end at Thu 2018-05-03 09:32:31 EDT. --
May 02 13:16:09 oc-elk systemd[1]: Started Elasticsearch.
May 03 08:58:04 oc-elk systemd[1]: Stopping Elasticsearch...
May 03 08:58:12 oc-elk systemd[1]: Stopped Elasticsearch.
May 03 08:58:12 oc-elk systemd[1]: Started Elasticsearch.

elk_user@oc-elk:~$ sudo netstat -nlp | grep 9200
tcp6 0 0 :::* LISTEN 43514/java

elk_user@oc-elk:~$ ps aux | grep elasticsearch
elastic+ 43514 63.6 74.9 101618332 6122332 ? Ssl 08:58 22:31 /usr/bin/java -Xms4g -Xmx4g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch.uNTeC9yy -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/var/log/elasticsearch/gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32 -XX:GCLogFileSize=64m -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
elastic+ 43597 0.0 0.0 135640 7156 ? Sl 08:58 0:00 /usr/share/elasticsearch/plugins/x-pack/x-pack-ml/platform/linux-x86_64/bin/controller
elk_user 43902 0.0 0.0 14220 960 pts/0 R+ 09:33 0:00 grep --color=auto elasticsearch

elk_user@oc-elk:~$ sudo cat /etc/elasticsearch/elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:


---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: ocs-elk-cluster

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: oc-elk

Add custom attributes to the node:

#node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /var/lib/elasticsearch

Path to log files:

path.logs: /var/log/elasticsearch

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

#bootstrap.memory_lock: true

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this


Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):


Set a custom port for HTTP:

#http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is ["", "[::1]"]

#discovery.zen.ping.unicast.hosts: ["host1", "host2"]

Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):


For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

#gateway.recover_after_nodes: 3

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

#action.destructive_requires_name: true

thanks again for all the help.


and this

cannot be both happening at the same time...

Can you please run

bin/x-pack/setup-passwords interactive -v

and share the output ?

root@oc-elk:/usr/share/elasticsearch# bin/x-pack/setup-passwords interactive -v
Running with configuration path: /etc/elasticsearch

Testing if bootstrap password is valid for
"error" : {
"root_cause" : [
"type" : "security_exception",
"reason" : "failed to authenticate user [elastic]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
"type" : "security_exception",
"reason" : "failed to authenticate user [elastic]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
"status" : 401

Failed to authenticate user 'elastic' against
Possible causes include:

  • The password for the 'elastic' user has already been changed on this cluster
  • Your elasticsearch node is running against a different keystore
    This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

ERROR: Failed to verify bootstrap password

This would indicate that you have already run the setup-passwords command once successfully and set the password for the elastic user, can this be the case ?

If you have set the password but don't remember what it is, you can do a "password reset" reading through the instructions and information in the seminal post from @TimV

Yes I believe this is the case - that i have already run the setup-passwords command. I have set the password and do have it.

Ok , then you don't need to run setup-passwords again. You have successfully installed X-Pack, you have set the passwords for your internal users, then you're good to go. To make authenticated requests to Elasticsearch you need to pass the -u parameter in curl , i.e.

 curl -X GET -u elastic ""

and enter the password you had set once you are prompted

elk_user@oc-elk:~$ curl -X GET -u elastic ""
Enter host password for user 'elastic':
"name" : "oc-elk",
"cluster_name" : "ocs-elk-cluster",
"cluster_uuid" : "He1zkCcOSnK5UlyqVr01LA",
"version" : {
"number" : "6.2.4",
"build_hash" : "ccec39f",
"build_date" : "2018-04-12T20:37:28.497551Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
"tagline" : "You Know, for Search"

Awesome. Then I take it, that your issues have been resolved and your questions regarding the installation of X-pack have been answered !

Thank you very much for all your time and assistance...This is a great resource.

1 Like

I have successfully installed x-pack on elasticsearch, kibana, and logstash. I did not complete the TLS installation section. Is the TLS section necessary on a single node deployment?

I have a trial license until June 2. The kibana console shows this trial license to be active. I cannot get the status from the command line:

root@oc-elk:~# GET _xpack/license/trial_status
Can't connect to _xpack:80

Temporary failure in name resolution at /usr/share/perl5/LWP/Protocol/http.pm line 47.

No, not while you're on a trial license or if you choose to continue with a license that doesn't enable X-Pack security.

The example from which you copy pasted that is meant as an instruction to be run via Kibana's dev console and not in your linux shell. In many linux distributions GET ( as in /usr/bin/GET ) is a symbolic link to lwp-request and this is what throws this error.

You either need to copy paste this command in your kibana dev console or click on the "Copy as curl" which will put

curl -X GET "localhost:9200/_xpack/license/trial_status"

(adjust localhost to your IP Address)

good morning - thanks for the update...here is the result:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_xpack/license/trial_status]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_xpack/license/trial_status]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

As we discussed above, now that you have X-Pack security enabled you need to make authenticated calls with CURL so you need to pass the -u elastic parameter.

To be clear: There is nothing wrong with your installation, and there is no need to report here that the command will succeed. As you have already seen via Kibana the trial license is valid until June 2, you just want to access the same information directly from the Elasticsearch API. The response will be the same.

thank you for the clarification - here is the corrected result - i only want to ensure the licensing is correct - we will most likely purchase a license for this product very soon once i can get the PoC up

root@oc-elk:/usr/share/elasticsearch# curl -X GET -u elastic ""
Enter host password for user 'elastic':

You get only this result because _xpack/license/trial_status is the trial status API. If you want to get more details you should query the Get license API at x_pack/license that will return the expiration date and other information.

yes it looks like the installation is set.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.