root@oc-elk:/usr/share/elasticsearch# curl -X GET "10.7.1.61:9200/"
{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

elk_user@oc-elk:~$ sudo journalctl --unit elasticsearch
-- Logs begin at Wed 2018-05-02 13:16:07 EDT, end at Thu 2018-05-03 09:32:31 EDT. --
May 02 13:16:09 oc-elk systemd[1]: Started Elasticsearch.
May 03 08:58:04 oc-elk systemd[1]: Stopping Elasticsearch...
May 03 08:58:12 oc-elk systemd[1]: Stopped Elasticsearch.
May 03 08:58:12 oc-elk systemd[1]: Started Elasticsearch.

elk_user@oc-elk:~$ sudo netstat -nlp | grep 9200
tcp6 0 0 10.7.1.61:9200 :::* LISTEN 43514/java

elk_user@oc-elk:~$ ps aux | grep elasticsearch
elastic+ 43514 63.6 74.9 101618332 6122332 ? Ssl 08:58 22:31 /usr/bin/java -Xms4g -Xmx4g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+AlwaysPreTouch -Xss1m -Djava.awt.headless=true -Dfile.encoding=UTF-8 -Djna.nosys=true -XX:-OmitStackTraceInFastThrow -Dio.netty.noUnsafe=true -Dio.netty.noKeySetOptimization=true -Dio.netty.recycler.maxCapacityPerThread=0 -Dlog4j.shutdownHookEnabled=false -Dlog4j2.disable.jmx=true -Djava.io.tmpdir=/tmp/elasticsearch.uNTeC9yy -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/var/lib/elasticsearch -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+PrintTenuringDistribution -XX:+PrintGCApplicationStoppedTime -Xloggc:/var/log/elasticsearch/gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=32 -XX:GCLogFileSize=64m -Des.path.home=/usr/share/elasticsearch -Des.path.conf=/etc/elasticsearch -cp /usr/share/elasticsearch/lib/* org.elasticsearch.bootstrap.Elasticsearch -p /var/run/elasticsearch/elasticsearch.pid --quiet
elastic+ 43597 0.0 0.0 135640 7156 ? Sl 08:58 0:00 /usr/share/elasticsearch/plugins/x-pack/x-pack-ml/platform/linux-x86_64/bin/controller
elk_user 43902 0.0 0.0 14220 960 pts/0 R+ 09:33 0:00 grep --color=auto elasticsearch

elk_user@oc-elk:~$ sudo cat /etc/elasticsearch/elasticsearch.yml

======================== Elasticsearch Configuration =========================

NOTE: Elasticsearch comes with reasonable defaults for most settings.

Before you set out to tweak and tune the configuration, make sure you

understand what are you trying to accomplish and the consequences.

The primary way of configuring a node is via this file. This template lists

the most important settings you may want to configure for a production cluster.

Please consult the documentation for further information on configuration options:

https://www.elastic.co/guide/en/elasticsearch/reference/index.html

---------------------------------- Cluster -----------------------------------

Use a descriptive name for your cluster:

cluster.name: ocs-elk-cluster

------------------------------------ Node ------------------------------------

Use a descriptive name for the node:

node.name: oc-elk

Add custom attributes to the node:

#node.attr.rack: r1

----------------------------------- Paths ------------------------------------

Path to directory where to store the data (separate multiple locations by comma):

path.data: /var/lib/elasticsearch

Path to log files:

path.logs: /var/log/elasticsearch

----------------------------------- Memory -----------------------------------

Lock the memory on startup:

#bootstrap.memory_lock: true

Make sure that the heap size is set to about half the memory available

on the system and that the owner of the process is allowed to use this

limit.

Elasticsearch performs poorly when the system is swapping the memory.

---------------------------------- Network -----------------------------------

Set the bind address to a specific IP (IPv4 or IPv6):

network.host: 10.7.1.61

Set a custom port for HTTP:

#http.port: 9200

For more information, consult the network module documentation.

--------------------------------- Discovery ----------------------------------

Pass an initial list of hosts to perform discovery when new node is started:

The default list of hosts is ["127.0.0.1", "[::1]"]

#discovery.zen.ping.unicast.hosts: ["host1", "host2"]

Prevent the "split brain" by configuring the majority of nodes (total number of master-eligible nodes / 2 + 1):

#discovery.zen.minimum_master_nodes:

For more information, consult the zen discovery module documentation.

---------------------------------- Gateway -----------------------------------

Block initial recovery after a full cluster restart until N nodes are started:

#gateway.recover_after_nodes: 3

For more information, consult the gateway module documentation.

---------------------------------- Various -----------------------------------

Require explicit names when deleting indices:

#action.destructive_requires_name: true

thanks again for all the help.

This

and this

cannot be both happening at the same time...

Can you please run

bin/x-pack/setup-passwords interactive -v

and share the output ?

root@oc-elk:/usr/share/elasticsearch# bin/x-pack/setup-passwords interactive -v
Running with configuration path: /etc/elasticsearch

Testing if bootstrap password is valid for http://10.7.1.61:9200/_xpack/security/_authenticate?pretty
{
"error" : {
"root_cause" : [
{
"type" : "security_exception",
"reason" : "failed to authenticate user [elastic]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
}
],
"type" : "security_exception",
"reason" : "failed to authenticate user [elastic]",
"header" : {
"WWW-Authenticate" : "Basic realm="security" charset="UTF-8""
}
},
"status" : 401
}

Failed to authenticate user 'elastic' against http://10.7.1.61:9200/_xpack/security/_authenticate?pretty
Possible causes include:

• The password for the 'elastic' user has already been changed on this cluster
• Your elasticsearch node is running against a different keystore
  This tool used the keystore at /etc/elasticsearch/elasticsearch.keystore

ERROR: Failed to verify bootstrap password

This would indicate that you have already run the setup-passwords command once successfully and set the password for the elastic user, can this be the case ?

If you have set the password but don't remember what it is, you can do a "password reset" reading through the instructions and information in the seminal post from @TimV

Yes I believe this is the case - that i have already run the setup-passwords command. I have set the password and do have it.

Ok , then you don't need to run setup-passwords again. You have successfully installed X-Pack, you have set the passwords for your internal users, then you're good to go. To make authenticated requests to Elasticsearch you need to pass the -u parameter in curl , i.e.

 curl -X GET -u elastic "http://10.7.1.61:9200/"

and enter the password you had set once you are prompted

elk_user@oc-elk:~$ curl -X GET -u elastic "http://10.7.1.61:9200/"
Enter host password for user 'elastic':
{
"name" : "oc-elk",
"cluster_name" : "ocs-elk-cluster",
"cluster_uuid" : "He1zkCcOSnK5UlyqVr01LA",
"version" : {
"number" : "6.2.4",
"build_hash" : "ccec39f",
"build_date" : "2018-04-12T20:37:28.497551Z",
"build_snapshot" : false,
"lucene_version" : "7.2.1",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
elk_user@oc-elk:~$

Awesome. Then I take it, that your issues have been resolved and your questions regarding the installation of X-pack have been answered !

Thank you very much for all your time and assistance...This is a great resource.

I have successfully installed x-pack on elasticsearch, kibana, and logstash. I did not complete the TLS installation section. Is the TLS section necessary on a single node deployment?

I have a trial license until June 2. The kibana console shows this trial license to be active. I cannot get the status from the command line:

root@oc-elk:~# GET _xpack/license/trial_status
Can't connect to _xpack:80

Temporary failure in name resolution at /usr/share/perl5/LWP/Protocol/http.pm line 47.

No, not while you're on a trial license or if you choose to continue with a license that doesn't enable X-Pack security.

The example from which you copy pasted that is meant as an instruction to be run via Kibana's dev console and not in your linux shell. In many linux distributions GET ( as in /usr/bin/GET ) is a symbolic link to lwp-request and this is what throws this error.

You either need to copy paste this command in your kibana dev console or click on the "Copy as curl" which will put

curl -X GET "localhost:9200/_xpack/license/trial_status"

(adjust localhost to your IP Address)

good morning - thanks for the update...here is the result:

{"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/_xpack/license/trial_status]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}}],"type":"security_exception","reason":"missing authentication token for REST request [/_xpack/license/trial_status]","header":{"WWW-Authenticate":"Basic realm="security" charset="UTF-8""}},"status":401}

As we discussed above, now that you have X-Pack security enabled you need to make authenticated calls with CURL so you need to pass the -u elastic parameter.

To be clear: There is nothing wrong with your installation, and there is no need to report here that the command will succeed. As you have already seen via Kibana the trial license is valid until June 2, you just want to access the same information directly from the Elasticsearch API. The response will be the same.

thank you for the clarification - here is the corrected result - i only want to ensure the licensing is correct - we will most likely purchase a license for this product very soon once i can get the PoC up

root@oc-elk:/usr/share/elasticsearch# curl -X GET -u elastic "10.7.1.61:9200/_xpack/license/trial_status"
Enter host password for user 'elastic':
{"eligible_to_start_trial":false}

You get only this result because _xpack/license/trial_status is the trial status API. If you want to get more details you should query the Get license API at x_pack/license that will return the expiration date and other information.

yes it looks like the installation is set.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.