Elasticsearch Authentication Failure
The collector’s log indicates failed to bootstrap elasticsearch and unable to authenticate user [<username>] for REST request
SYMPTOM
The collector's log indicates a message similar to the following:
2023-09-23T18:05:19.604Z error bootstrapper[elasticsearch] elasticsearch/bootstrap.go:147 failed to bootstrap elasticsearch. retrying... {"code": "elasticsearch/bootstrap-failure", "reason": "error while creating default ilm policy - GET ilm policy error for ilm policy 'elastiflow'- status code 401 not expected - {\"error\":{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"root_cause\":[{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"type\":\"security_exception\"}],\"type\":\"security_exception\"},\"status\":401}"}
github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.(*Bootstrap).Run
/tmp/flowcoll/pkg/outputs/elasticsearch/bootstrap.go:147
github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.NewCreateInstanceFunc.func1
/tmp/flowcoll/pkg/outputs/elasticsearch/instance_registration.go:155
github.com/elastiflow/flowcoll/pkg/instantiator.(*Instantiator).Run
/tmp/flowcoll/pkg/instantiator/instantiator.go:79
PROBLEM
The collector's Elasticsearch output is unable to authenticate with the Elasticsearch host(s) specified in EF_OUTPUT_ELASTICSEARCH_ADDRESSES.
SOLUTION
Ensure that EF_OUTPUT_ELASTICSEARCH_USERNAME or EF_OUTPUT_ELASTICSEARCH_PASSWORD has been entered correctly. Providing the correct username and password will correct this error. You can test the username and password manually using curl. For example:
curl -XGET https://127.0.0.1:9200/_cat/indices -u username:password --insecure