Need to connect elasticsearch with Active Directory for authentication - Need help

1

Error : [2018-10-26T19:44:59,031][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
[2018-10-26T19:44:59,090][WARN ][t.b.r.e.SSLTransportNetty4] io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 48454144202f20485454502f312e310d0a486f73743a203137322e32392e302e3134363a393230300d0a436f6e74656e742d4c656e6774683a20300d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a0d0a

elasticsearch.yml

http.type: ssl_netty4

readonlyrest.yml
readonlyrest:
enable: true
ssl:
enable: true
keystore_file: “/etc/elasticsearch/keystore.jks”
keystore_pass: ******************
key_pass: ***************

access_control_rules:

- name: Accept requests from users in group team
  type: allow
  ldap_auth:
    name: "test"
    groups: "admins"
  indices: ["*"]

ldaps:

- name: test
  host: "172.*.*.*"
  port: 389
  ssl_enabled: true
  ssl_trust_all_certs: true
  bind_dn: "cn=elkadmin,ou=elk,dc=*********,dc=local
  bind_password: "*********"
  search_user_base_DN: "ou=elk,dc=*****,dc=local
  search_groups_base_DN: "ou=elk,dc=*******,dc=local"

when i run the curl command
curl -vvv -u elkadmin@.local:** “https://****************.local”

  • Rebuilt URL to: https://********************.local/
  • Trying 172...*…
  • Connected to ************.local (172...) port 443 (#0)
  • found 148 certificates in /etc/ssl/certs/ca-certificates.crt
  • found 597 certificates in /etc/ssl/certs
  • ALPN, offering http/1.1
  • SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
  •    server certificate verification OK

  •    server certificate status verification SKIPPED

  •    common name: *************.local (matched)

  •    server certificate expiration date OK

  •    server certificate activation date OK

  •    certificate public key: RSA

  •    certificate version: #3

  •    subject: CN=****************.local

  •    start date: Fri, 26 Oct 2018 17:46:26 GMT

  •    expire date: Mon, 23 Oct 2028 17:46:26 GMT

  •    issuer: CN=*****************.local

  •    compression: NULL
  • ALPN, server accepted to use http/1.1
  • Server auth using Basic with user ‘elkadmin@**********.local’

GET / HTTP/1.1
Host: **************.local
Authorization: Basic ZWxrYWRtaW5AYXBwZGV2LmxvY2FsOnNvYzIwMTgh
User-Agent: curl/7.47.0
Accept: /

< HTTP/1.1 401 Unauthorized
< Server: nginx/1.10.3 (Ubuntu)
< Date: Fri, 26 Oct 2018 20:04:24 GMT
< Content-Type: text/html
< Content-Length: 204
< Connection: keep-alive

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Basic realm=“Restricted Access”
    <
401 Authorization Required

401 Authorization Required

nginx/1.10.3 (Ubuntu) * Connection #0 to host *************.local left intact ************************************************************************************
2

Also getting this,

● elasticsearch.service - Elasticsearch
Loaded: loaded (/usr/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2018-10-26 19:50:06 UTC; 19min ago
Docs: http://www.elastic.co
Main PID: 3400 (java)
Tasks: 51
Memory: 4.3G
CPU: 5min 37.910s
CGroup: /system.slice/elasticsearch.service
├─3400 /usr/bin/java -Xms4g -Xmx4g -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiat
└─3458 /usr/share/elasticsearch/modules/x-pack/x-pack-ml/platform/linux-x86_64/bin/controller

Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: Caused by: java.net.SocketException: Connection reset
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at java.net.SocketInputStream.read(SocketInputStream.java:210)
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at java.net.SocketInputStream.read(SocketInputStream.java:141)
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.InputRecord.read(InputRecord.java:503)
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:9
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSock
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.ja
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: at sun.security.ssl.AppInputStream.read(AppInputStream.java:105)
Oct 26 19:50:20 ip-172-29-0-146 elasticsearch[3400]: … 7 more

Please assist

3

This means that the HTTP client (kibana, logstash, etc) is trying to connect to http:// instead of https:// . So please review the client’s configuration so that they point to https://elasticsearch-host:9200

4

Thank you for response.

This is the configuration i have currently. Please suggest.

kibana.yml

server.host: "172.*.*.*"
server.name: "**************"
elasticsearch.url: "https://172.*.*.*:9200"
xpack.security.enabled: false
logging.dest: stdout

logstash.yml

node.name: ***************
http.host: "172.*.*.*"
http.port: 9600
log.level: debug
path.logs: /var/log/logstash

input {
  beats {
    port => 5044
  }
}

output {
  elasticsearch {
   hosts => ["172.*.*.*:9200"]
   index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}" 
  }
}
5

Hi @sim, please see our manual with the full example about how to configure SSL in Logstash.

6

thank you so much.

Still need to ask a silly question, how am I suppose to create credentials for logstash as it doesn’t specify in the manual.

Step 3 Now We need to create some credentials for logstash to login, let’s say

  • user = logstash
  • password = logstash
7

@sscarduzio please assist. I would really appreciate it. It’s a little confusing.

8

Yeah no worries! You need to add an ACL block with either auth_key or auth_key_sha256 rule inside. There is a step by step guide on how to secure Logstash in our docs.

Extract from the docs:

readonlyrest:
   
    ssl:
      enable: true
      # keystore in the same dir with readonlyrest.yml
      keystore_file: "keystore.jks"
      keystore_pass: readonlyrest
      key_pass: readonlyrest

    response_if_req_forbidden: Forbidden by ReadonlyREST ES plugin

    access_control_rules:

    - name: "::LOGSTASH::"
      auth_key_sha256: "280ac6f756a64a80143447c980289e7e4c6918b92588c8095c7c3f049a13fbf9" #logstash:logstash
      actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
      indices: ["logstash-*"]
9

thank you. :slight_smile:

Still getting error:

[2018-10-30T03:57:09,660][INFO ][t.b.r.a.ACL ] FORBIDDEN by default req={ ID:273631129-1585012483#103548, TYP:MainRequest, CGR:N/A, USR:logstash(?), BRS:tr ue, KDX:null, ACT:cluster:monitor/main, OA:172.******** DA:172.**********, IDX:<N/A>, MET:HEAD, PTH:/, CNT:<N/A>, HDR:{Authorization=, content-length=0, Connect ion=Keep-Alive, User-Agent=Manticore 0.6.1, Host=172.***********:9200, Accept-Encoding=gzip,deflate, Content-Type=application/json}, HIS: }
[2018-10-30T03:57:10,170][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
[2018-10-30T03:57:11,173][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
[2018-10-30T03:57:12,176][INFO ][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster not ready…
[2018-10-30T03:57:12,553][WARN ][o.e.x.m.e.l.LocalExporter] unexpected error while indexing monitoring document
org.elasticsearch.xpack.monitoring.exporter.ExportException: UnavailableShardsException[[.monitoring-es-6-2018.10.30][0] primary shard is not active Timeout: [1m], requ est: [BulkShardRequest [[.monitoring-es-6-2018.10.30][0]] containing [index {[.monitoring-es-6-2018.10.30][doc][E9Ydw2YBG2I_nQmYWSCJ], source[n/a, actual length: [2.7kb ], max length: 2kb]}]]]
at org.elasticsearch.xpack.monitoring.exporter.local.LocalBulk.lambda$throwExportException$2(LocalBulk.java:128) ~[?:?]
at java.util.stream.ReferencePipeline$3$1.accept(ReferencePipeline.java:193) ~[?:1.8.0_181]
at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:175) ~[?:1.8.0_181]
at java.util.Spliterators$ArraySpliterator.forEachRemaining(Spliterators.java:948) ~[?:1.8.0_181]
at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:481) ~[?:1.8.0_181]
at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:471) ~[?:1.8.0_181]
at java.util.stream.ForEachOps$ForEachOp.evaluateSequential(ForEachOps.java:151) ~[?:1.8.0_181]
at java.util.stream.ForEachOps$ForEachOp$OfRef.evaluateSequential(ForEachOps.java:174) ~[?:1.8.0_181]
at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234) ~[?:1.8.0_181]
at java.util.stream.ReferencePipeline.forEach(ReferencePipeline.java:418) ~[?:1.8.0_181]
at org.elasticsearch.xpack.monitoring.exporter.local.LocalBulk.throwExportException(LocalBulk.java:129) ~[?:?]
at org.elasticsearch.xpack.monitoring.exporter.local.LocalBulk.lambda$doFlush$0(LocalBulk.java:111) ~[?:?]
at org.elasticsearch.action.ActionListener$1.onResponse(ActionListener.java:60) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.ContextPreservingActionListener.onResponse(ContextPreservingActionListener.java:43) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction$1.onResponse(TransportAction.java:85) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.support.TransportAction$1.onResponse(TransportAction.java:81) ~[elasticsearch-6.3.0.jar:6.3.0]
at org.elasticsearch.action.bulk.TransportBulkAction$BulkRequestModifier.lambda$wrapActionListenerIfNeeded$0(TransportBulkAction.java:570) ~[elasticsearch-6.3.0

when i run the curl command
curl -vvv -u elkadmin@ .local: ** “https://****************.local”

*****************************************************************************8
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.10.3 (Ubuntu)
< Date: Fri, 26 Oct 2018 20:04:24 GMT
< Content-Type: text/html
< Content-Length: 204
< Connection: keep-alive

  • Authentication problem. Ignoring this.
    < WWW-Authenticate: Basic realm=“Restricted Access”
    <

401 Authorization Required

10

Is your cluster in a green state? Looks like some shard is not available, an elastic search related (non ReadonlyREST related) exception is triggering the default “on error” behaviour in ReadonlyREST to forbid everything.

11

@sscarduzio, the cluster is in red state right now. But it was green before enabling ReadonlyRest but I will look into it.

Thank you for your response.

1 Like
15

@sscarduzio need your help again please. my cluster is in green state and i am able to establish a connection will ssl when i curl, however my ACL blocks for AD connectivity are not working

root@ip-172-***:/etc/elasticsearch # curl -vvv "https://readlogs.***************:9200"                                  * Rebuilt URL to: https://readlogs.**************:9200/
*   Trying 172.**********...
* TCP_NODELAY set
* Connected to readlogs.**************** (172.*********) port 9200 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=readlogs.******************
*  start date: Nov  5 19:19:28 2018 GMT
*  expire date: Nov  2 19:19:28 2028 GMT
*  common name: readlogs********(matched)
*  issuer: CN=readlogs.***************
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: readlogs.***********:9200
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/1.1 200 OK
< content-type: application/json; charset=UTF-8
< content-length: 489
<
{
  "name" : "node-1",
  "cluster_name" : "my-cluster",
  "cluster_uuid" : "BrVxHXzQSbujXuV20_r3YA",
  "version" : {
    "number" : "6.4.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "04711c2",
    "build_date" : "2018-09-26T13:34:09.098244Z",
    "build_snapshot" : false,
    "lucene_version" : "7.4.0",
    "minimum_wire_compatibility_version" : "5.6.0",
    "minimum_index_compatibility_version" : "5.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host readlogs.********************* left intact

readonlyrest.yml

readonlyrest:
    ssl:
      enable: true
      keystore_file: keystore.jks
      keystore_pass: readonlyrest
      key_pass: readonlyrest

      audit_collector: true

      access_control_rules:
      - name: Accept requests from users in group team
        type: allow
        ldap_auth:
         name: "name"
         groups: "admins"
        indices: ["*"]

      - name: "::LOGSTASH::"
        auth_key: logstash:logstash
        actions: ["cluster:monitor/main","indices:admin/types/exists","indices:data/read/*","indices:data/write/*","indices:admin/template/*","indices:admin/create"]
        indices: ["logstash-*"]

      ldaps:
      - name: name
        host: "172.**********"
        port: 389
        ssl_enabled: true
        ssl_trust_all_certs: true
        bind_dn: "cn=elkadmin,ou=elk,dc=domain,dc=local"
        bind_password: "password"
        search_user_base_DN: "ou=elk,dc=domain,dc=local"
        search_groups_base_DN: "ou=elk,dc=domain,dc=local"
16

The ldap_auth.name field in the ACL block should reflect a name of an LDAP server declared under ldaps. Therefore, according to your configuration, you should set name: “appdev”.

Two extra advices for ACL and LDAP troubleshooting

Also, when you try to debug the ACL, please go straight to see the ES logs as explained in our troubleshooting guide.

One more very useful thing when you debug LDAP, try putting the whole ES in debug mode, you will be able to see the LDAP connector’s activity including errors. This is all explained in our troubleshooting guide.

17

it is appdev in my config.

i already have enabled debug ES logs as per the documentation.

when i curl with AD credentials I get this.

[2018-11-06T18:21:38,712][DEBUG][i.n.h.s.SslHandler ] [id: 0xb8ea1e62, L:/172..0.:9200 - R:/172..0.:46004] Swallowing a harmless ‘connection reset by peer / broken pipe’ error that occurred while writing close_notify in response to the peer’s close_notify
java.io.IOException: Connection reset by peer
at sun.nio.ch.FileDispatcherImpl.read0(Native Method) ~[?:?]
at sun.nio.ch.SocketDispatcher.read(SocketDispatcher.java:39) ~[?:?]
at sun.nio.ch.IOUtil.readIntoNativeBuffer(IOUtil.java:223) ~[?:?]
at sun.nio.ch.IOUtil.read(IOUtil.java:197) ~[?:?]
at sun.nio.ch.SocketChannelImpl.read(SocketChannelImpl.java:380) ~[?:?]
at io.netty.buffer.PooledHeapByteBuf.setBytes(PooledHeapByteBuf.java:261) ~[netty-buffer-4.1.16.Final.jar:4.1.16.Final]
at io.netty.buffer.AbstractByteBuf.writeBytes(AbstractByteBuf.java:1106) ~[netty-buffer-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.socket.nio.NioSocketChannel.doReadBytes(NioSocketChannel.java:343) ~[netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:123) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:545) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:499) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459) [netty-transport-4.1.16.Final.jar:4.1.16.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.16.Final.jar:4.1.16.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_191]
[2018-11-06T18:21:39,684][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader
[2018-11-06T18:21:39,684][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader
[2018-11-06T18:21:40,382][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader
[2018-11-06T18:21:40,384][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader
[2018-11-06T18:21:42,100][DEBUG][t.b.r.c.s.SettingsPoller ] [CLUSTERWIDE SETTINGS] Cluster is ready!
[2018-11-06T18:21:42,100][DEBUG][t.b.r.e.SettingsObservableImpl] [CLUSTERWIDE SETTINGS] checking index…
[2018-11-06T18:21:43,639][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader
[2018-11-06T18:21:43,639][DEBUG][t.b.r.e.s.RoleIndexSearcherWrapper] Document filtering not available. Return defaut reader

@sscarduzio

not sure what this error means, but it doesn’t given me forbidden anymore with or without AD

18

Is this a new thing? curl stopped working for some reason?

19

curl works, without credentials as i mentioned above.

I tried enabling basic auth to see if it is the AD issue or it’s not picking up any ACL.

even then curl works without credentials. so it seems like it is not even detecting the ACL blocks. Not sure why is that. Am i missing on anything? @sscarduzio please suggest

20

I’m starting to doubt your settings re being read at all. In the ES boot up logs, you should read something like this:

[2018-11-06T19:54:49,954][INFO ][o.e.p.PluginsService     ] [1kbNu6t] loaded module [transport-netty4]
[2018-11-06T19:54:49,954][INFO ][o.e.p.PluginsService     ] [1kbNu6t] loaded plugin [readonlyrest]
[2018-11-06T19:54:52,551][INFO ][t.b.r.e.IndexLevelActionFilter] [1kbNu6t] Settings observer refreshing...
[2018-11-06T19:54:53,000][INFO ][t.b.r.r.SerializationTool] no custom audit log serialisers found, proceeding with default.
[2018-11-06T19:54:53,310][INFO ][t.b.r.a.ACL              ] ADDING BLOCK:	{ name: '::KIBANA-SRV::', policy: ALLOW, rules: [auth_key]}
[2018-11-06T19:54:53,316][INFO ][t.b.r.a.ACL              ] ADDING BLOCK:	{ name: 'Local auth for admin', policy: ALLOW, rules: [groups, kibana_access]}
[2018-11-06T19:54:53,318][INFO ][t.b.r.a.ACL              ] ADDING BLOCK:	{ name: 'Local auth for nonpriv admin', policy: ALLOW, rules: [groups, kibana_access, kibana_index, indices]}
[2018-11-06T19:54:53,319][INFO ][t.b.r.e.IndexLevelActionFilter] [1kbNu6t] Configuration reloaded - ReadonlyREST enabled
[2018-11-06T19:54:53,319][INFO ][t.b.r.e.IndexLevelActionFilter] [1kbNu6t] Readonly REST plugin was loaded...
[2018-11-06T19:54:53,609][DEBUG][o.e.a.ActionModule       ] Using REST wrapper from plugin tech.beshu.ror.es.ReadonlyRestPlugin
...
[2018-11-06T19:54:58,117][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: attempting with JKS keystore..
[2018-11-06T19:54:58,121][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: ssl.key_alias not configured, took first alias in keystore: domain
[2018-11-06T19:54:58,122][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered key from JKS
[2018-11-06T19:54:58,122][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered cert chain from JKS
[2018-11-06T19:54:58,184][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Using SSL provider: JDK
[2018-11-06T19:54:58,329][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA
[2018-11-06T19:54:58,331][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available SSL protocols: TLSv1,TLSv1.1,TLSv1.2
[2018-11-06T19:54:58,365][INFO ][t.b.r.e.SSLTransportNetty4] [1kbNu6t] publish_address {127.0.0.1:9200}, bound_addresses {[::1]:9200}, {127.0.0.1:9200}

Especially check:

  1. presence of “loaded plugin [readonlyrest]”
  2. one “ADDING BLOCK” line for each ACL block is printed
  3. presence of “Using REST wrapper from plugin tech.beshu.ror.es.ReadonlyRestPlugin”
  4. SSL logs are there and make sense

Last but not least, are you using our Kibana plugins too? (PRO, or Enterprise)

21

yes i am getting similar boot logs when i change the ES logs to info

root@ip-172-29-0-52:/var/log/elasticsearch# tail -f my-cluster.log
[2018-11-06T19:15:11,912][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Discovered cert chain from JKS
[2018-11-06T19:15:11,971][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Using SSL provider: JDK
[2018-11-06T19:15:12,000][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available ciphers: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA
[2018-11-06T19:15:12,001][INFO ][t.b.r.e.SSLTransportNetty4] ROR SSL: Available SSL protocols: TLSv1,TLSv1.1,TLSv1.2
[2018-11-06T19:15:12,114][INFO ][t.b.r.e.SSLTransportNetty4] [node-1] publish_address {172.*********:9200}, bound_addresses {172.*********:9200}
[2018-11-06T19:15:12,114][INFO ][o.e.n.Node               ] [node-1] started
[2018-11-06T19:15:12,365][INFO ][o.e.l.LicenseService     ] [node-1] license [b0bbd7d7-2e79-4a26-bbc2-64581a03bc95] mode [basic] - valid
[2018-11-06T19:15:12,381][INFO ][o.e.g.GatewayService     ] [node-1] recovered [1] indices into cluster_state
[2018-11-06T19:15:12,633][INFO ][o.e.c.r.a.AllocationService] [node-1] Cluster health status changed from [RED] to [GREEN] (reason: [shards started [[.kibana][0]] ...]).
[2018-11-06T19:15:12,810][INFO ][t.b.r.e.SettingsObservableImpl] [CLUSTERWIDE SETTINGS] index settings not found. Will keep on using the local YAML file. Learn more about clusterwide settings at https://readonlyrest.com/pro.html

***********************************************************

@sscarduzio, i am not using kibana plugin as of now, if I am able to establish the AD connectivity then we will go for kibana plugin as security is the main priority for us as of now. If it works, we will purchase the pro or enterprise.

and I don’t see it adding ACL Blocks in my logs even.

22

@sscarduzio please suggest

23

So this is the issue. Can you make sure your YAML indentation is OK? Maybe take a pic with the phone to the editor, I don’t know.