put xpack.security.enabled: false in the bottom of the elasticearch.yml file
Started ES
I see plugin loaded then as ES continues to load iâll start to see errors similar to: FORBIDDEN by default req=... (it seems to start to list about anything from cluster:monitor to metricbeat, etc.)
Little later in the log iâll see ES recovered 10 indices followed by [CLUSTERWIDE SETTINGS] cluster not readyâŚ
then cluster health goes from red to yellow, shards get started and the FORBIDDEN keeps populating.
I go on to test like it says with curl - and I do not get the status code of 401.
Ok, i reinstalled the plugin again on ES. configured U/P with protocol of HTTP on ES, Logstash and Kibana. everything started and authenticated just fine.
then i configured the beats (File, metric & heart) and all toss errors of no basic auth.
For example on heartbeat, ES Docs say.
output.elasticsearch:
hosts: [âmyEShost:9200â]
username: âfilebeat_internalâ
password: âYOUR_PASSWORDâ
Iâve got the ES U:P set correctly in each of the three beats (on the same system). At this point I have not done any ACLâs yet and Logstash (uses same U:P) is working good. I have just the very basic YAML setting described in the docs which is (of course my U:P is different than the docs and identical between ES, Logstash, Kibana, and the beats).
I understood that you have credentials correctly set up in all your log shipping agents (beats, logstash, etc), but you keep on seeing no basic auth logs in ROR.
Correct?
If correct:
If they are not sending the basic authorization header, there must be a problem with the agents. They really should send that header. Maybe point them to another web server or debug proxy server if you donât trust the ROR logs.
Maybe they just need a restart?
Please confirm curl works? i.e.
curl -vvv âhttp://es_host:9200/_cat/indicesâ # <â should result in FORBIDDEN in ROR logs + 401 error
curl -vvv -u user:password âhttp://es_host:9200/_cat/indicesâ # <â should result in ALLOWED in ROR logs + 200 status code, and you should see the list of indices.
Iâve restarted a number of times, before trying to put in authentication the agent reported okay. I was wondering if it was because i have the agent sending to ES and enable the kibana dashboards - but the beat documentation seems to indicate that it would use ESâs authentication if dashboards are loaded - I tried to put it in there anyway and it didnât seem to make a difference.
âi might just try to reinstall one of the beats and see what it does.
2.a) I get {âerrorâ:{âroot_causeâ:[{"reason:âforbiddenâ}],âreasonâ:âforbiddenâ},âstatusâ:401}
2.b) I get 200 status code and a list of all the indices - including the 3 different beats. All show green.
After playing around with it, it seems data is getting through okay. I can see file logs and system metrics but I still get the FORBIDDEN messages. If I stop all beats, the FORBIDDEN messages go away - I start any one of the beats and the messages return.
iâm not going to spend anymore time on it for right now - working on SSL next.
2.a) I get {âerrorâ:{âroot_causeâ:[{"reason:âforbiddenâ}],âreasonâ:âforbiddenâ},âstatusâ:401}
2.b) I get 200 status code and a list of all the indices - including the 3 different beats. All show green.