Logstash unauthorized after so-elastic-auth
953 views
Skip to first unread message
jjvq...@gmail.com
Aug 17, 2020, 7:30:35 AM8/17/20
to security-onion
Hello Security-Onion team,
Today I ran the so-elastic-auth script to enable Elastic authentication. But I cannot get logstash started, the logstash.log file states the following:
[2020-08-17T11:18:38,518][WARN ][logstash.outputs.elasticsearch] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://elasticsearch:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://elasticsearch:9200/'"}
It seems that there are logstash related user/roles created because they are visible Kibana/Management.
Do I need to manually enter a logstash user and password in a specific configuration file? If so, where and should I change the password in Kibana for the user, as I do not know what the generated password is.
Thanks in advance for any input.
Jay
Doug Burks
Aug 17, 2020, 7:55:22 AM8/17/20
to securit...@googlegroups.com
Hi Jay,
Have you tried restarting Logstash? so-logstash-start should configure Logstash with the proper credentials:
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/43e486aa-5d3f-4087-b827-17c6164fbef0n%40googlegroups.com.
Doug Burks
Founder and CEO
Security Onion Solutions, LLC
Founder and CEO
Security Onion Solutions, LLC
jjvq...@gmail.com
Aug 17, 2020, 8:37:02 AM8/17/20
to security-onion
Thanks Doug,
You pointed me in the right direction. The problem had to do with me not following the naming standard in the /etc/logstash/custom dir. After editing those files by adding the user and password lines (that I got from the /etc/logstash/conf.d output files) and restarting logstash everything started working again.
Thanks again for the quick answer. Have a good day!
Jay
Op maandag 17 augustus 2020 om 13:55:22 UTC+2 schreef Doug Burks:
Reply all
Reply to author
Forward
0 new messages