logstash Authentication error with shield - elasticsearch

I'm getting the following error while trying to output data to elasticsearch from logstash:
Failed to install template: [401]
{"error":"AuthenticationException[unable to authenticate user
[es_admin] for REST request [/_template/logstash]]","status":401}
{:level=>:error}
I have the configuration like this in logstash:
if [type]=="signup"{
elasticsearch {
protocol => "http"
user =>"*****"
password =>"*******"
document_type => "signup"
host => "localhost"
index => "signups"
}
}
I have tried adding user with following commands:
esusers useradd <username> -p <password> -r logstash
I also tried giving role admin but logstash not working for admin user also.
The localhost:9200 is asking for the password and after entering the password it works but the logstash is giving an error.

I also had similar issue. There is a known issue with elasticsearch if the password has an "#" symbol, this issue can happen. See below link:
https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/232
Also some documentation on elasticsearch has instructions to include "shield" configuration in elasticsearch.yml, but if you have only one shield realm, this is not needed. I dont have shield configuration in elasticsearch.yml

I see that you tried with both logstash and admin user but failed.
To try with an admin privileged user:
Please make sure your /etc/elasticsearch/shield/roles.yml has below content for admin role:
# All cluster rights
# All operations on all indices
admin:
cluster: all
indices:
'*':
privileges: all
Then test something like below:
curl -u es_admin:es_admin_password localhost:9200/_cat/health
To make the logstash role user to work, logstash role need to be tweaked at roles.yml. I configured logstash to use admin privileged user to write to elasticsearch. I hope this would help.

Related

What is the default user and password for Elasticsearch 7.8.0?

What's is the default username and password for Elasticsearch 7.8.0? It's asking this on 9200 port. Tried these (username pass):
elastic [no pass]
elastic elastic
without entering anything
elastic changeme
elastic password
user password
OS: Windows 10 x64, installed ES with MSI installer from its website.
yml file:
bootstrap.memory_lock: false
cluster.name: elasticsearch
http.port: 9200
node.data: true
node.ingest: true
node.master: true
node.max_local_storage_nodes: 1
node.name: LAPTOP-1C4GVFSU
path.data: C:\ProgramData\Elastic\Elasticsearch\data
path.logs: C:\ProgramData\Elastic\Elasticsearch\logs
transport.tcp.port: 9300
xpack.license.self_generated.type: basic
xpack.security.enabled: true
Somehow default username password isn't working. I had to set the password on CMD by
bin/elasticsearch-setup-passwords interactive
bin/elasticsearch-setup-passwords auto
The interactive parameter prompts new password for the users, whereas auto generates them for you.
Username is elastic and Password is password
If you are trying to debug Elasticsearch Source Code, then after running ./gradlew :run, ES starts building and running.
Once the service has started, run this curl command from another window :
curl -u elastic:password localhost:9200
After which add the username and password as mentioned above. To know more about this refer CONTRIBUTING.md
It may also be possible, that you have only added the xpack.security.enabled setting to the ES_PATH_CONF/elasticsearch.yml file.
After which if you try to hit localhost:9200, then it will ask for username and password (as you have enabled security feature). But since you have not set up username and password, so it will throw security_exception (when incorrect username and password are entered).
So, for that, run bin/elasticsearch-setup-passwords interactive, and set the username and password.
Refer to this documentation for Setting built-in user and password
try the following command
bin/elasticsearch-reset-password -u elastic
it generates new password for user "elastic"
Check /etc/nginx/ for nginx.con files and nginx passwd file.
ElasticSearch is using simple Nginx passwd file and basic authentication for default instance.

Integration between ELK and LDAP

I recently got to manage an opensource-based infrastructure composed by multiple Debian servers. On some of them, the ELK stack is installed.
I am verifying verify the presence of any integration between ELK and LDAP or other IAMs. On the dedicated monitoring node, I looked for IAM-related info into the following configuration files:
/etc/elasticsearch/elasticsearch.yaml
/etc/kibana/kibana.yml
/etc/logstash/logstash.yml
but the only login/account credentials I have been able to find are in the kibana.yml file:
elasticsearch.username: "username"
elasticsearch.password: "password"
In /etc/kibana/kibana.yml and /etc/elasticsearch/elasticsearch.yml I find the following:
xpack.security.enabled: false
which leads me think to the presence of a "xpack" plugin in somehow related to ldap. Where should I look for LDAP integration ?
Thanks to #Wonka for suggesting the presence of ReadOnlyRest. I found a readonlyrest.yml in /etc/elasticsearch. There, the following was present:
ldaps:
- name: ldap1
host: "ourldapserver.ourdomain"
[...]
Here is where LDAP integration occured.

How to run Mongodb as a service with authentication on a windows machine

remark: I am using win10.
My goal is when windows boot mongodb as a service with authentication start( you can not enter the database without authenticate) but I can not manage to do it on a windows machine ( in linux it worked)
I write here the steps I tried:
dowlnload MongoDB
change conf from default to the following
# mongod.conf
http://docs.mongodb.org/manual/reference/configuration-options/
# Where and how to store data.
storage:
dbPath: C:\MongoDB\Server\4.0\data
journal:
enabled: true
# where to write logging data.
systemLog:
destination: file
logAppend: true
path: C:\MongoDB\Server\4.0\log\mongod.log
# network interfaces
net:
port: 27017
bindIp: 127.0.0.1
security:
authorization: enabled
setParameter:
enableLocalhostAuthBypass: false
create a Admin user in the Admin collection.
db.createUser(
{
user: "....",
pwd: "...",
roles:
[
{ role: "root", db: "admin" }
]
}
)
Made it a service:
sc.exe create MongoDB
binPath=“\”C:\MongoDB\Server\4.0\bin\mongod.exe\”
–service
config=\”C:\MongoDB\Server\4.0\bin\mongod.cfg\”” DisplayName= “MongoDB” start= “auto”
getting feedback Successful.
but when i restart the computer, mongod is not starting and if i dont specify mongod --auth i can still enter without a authentication
How can I run Mongod as service with authentication? what am i doing wrong?
When i am trying to activate the service manually I get the following error
Error photo
The issue with the security tag. I have the same issue when I wanted to start the service in Windows 10. I copy the command from Windows service properties and then run on the command prompt.
The prompt shows me the error:
Unrecognized category : security
I found the solution and it is to write the security tag with options properly.
YAML need some specific input I guess. Here it is the solution.
security:
authorization: enabled
I had the same issue.
In your mongodb.cfg, use 2 spaces (instead of TAB) to indent authorization: enabled

Failing to install ELK

I am trying to install ELK but I am getting below timed out error.
Check your log, It might be the situation that your computer's configuration is not good enough to run elk.[elasticsearch can take 1.2g memory].
use free -m df -h check the machine can support elk service.
In centos, logs locate on /var/log/elasticsearch.
You can check your connection with curl localhost:9200.
If your elasticsearch deploys in other machines, you should set the configuration as host: 0.0.0.0
Update elasticsearch configuration
Add below code to elastcisearch.yml
# vi /etc/elasticsearch/elastcisearch.yml
network.host: 0.0.0.0
If you have enabled authentication for Elasticsearch, update Logstash configuration file and provide user and password.
# vi /home/checkstyle.conf
output {
elasticsearch {
hosts => ['localhost:9200']
user => 'admin'
password => 'admin'
sniffing => true
manage_template => false
index => "autocheckstylelogsyncfilebeat"
}
}
Verify Elasticsearch is active
# curl -XGET 'localhost:9200'
If authentication is enabled
# curl -XGET '<user>:<pwd>#localhost:9200'

elasticsearch service fails to start after installation

I installed elastic search using the deb package from here. The service however fails to start and throws below error. How can I fix this?
$ sudo service elasticsearch restart
* Stopping Elasticsearch Server [ OK ]
* Starting Elasticsearch Server
chown: invalid group: `elasticsearch:elasticsearch'
chown: invalid group: `elasticsearch:elasticsearch' [fail]
Maybe you don't have this user/group set up in your system:
For security reasons, running the server as an unprivileged user and group is strongly encouraged. Create user and group for Elasticsearch:
groupadd elasticsearch
useradd -s /sbin/nologin -d /usr/local/elasticsearch -c "Elasticsearch User"

Resources