# Elasticsearch Authentication Failure The collector’s log indicates `failed to bootstrap elasticsearch` and `unable to authenticate user [] for REST request` ### SYMPTOM The collector's log indicates a message similar to the following: ```log 2023-09-23T18:05:19.604Z error bootstrapper[elasticsearch] elasticsearch/bootstrap.go:147 failed to bootstrap elasticsearch. retrying... {"code": "elasticsearch/bootstrap-failure", "reason": "error while creating default ilm policy - GET ilm policy error for ilm policy 'elastiflow'- status code 401 not expected - {\"error\":{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"root_cause\":[{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"type\":\"security_exception\"}],\"type\":\"security_exception\"},\"status\":401}"} github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.(*Bootstrap).Run /tmp/flowcoll/pkg/outputs/elasticsearch/bootstrap.go:147 github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.NewCreateInstanceFunc.func1 /tmp/flowcoll/pkg/outputs/elasticsearch/instance_registration.go:155 github.com/elastiflow/flowcoll/pkg/instantiator.(*Instantiator).Run /tmp/flowcoll/pkg/instantiator/instantiator.go:79 ``` ### PROBLEM The collector's Elasticsearch output is unable to authenticate with the Elasticsearch host(s) specified in `EF_OUTPUT_ELASTICSEARCH_ADDRESSES`. ### SOLUTION Ensure that `EF_OUTPUT_ELASTICSEARCH_USERNAME` or `EF_OUTPUT_ELASTICSEARCH_PASSWORD` has been entered correctly. Providing the correct username and password will correct this error. You can test the username and password manually using `curl`. For example: ```shell curl -XGET https://127.0.0.1:9200/_cat/indices -u username:password --insecure ``` ### REFERENCE * [EF\_OUTPUT\_ELASTICSEARCH\_USERNAME](https://github.com/elastiflow/documentation/blob/main/docs/config_ref/common/output_elasticsearch/README.md#ef_output_elasticsearch_username) * [EF\_OUTPUT\_ELASTICSEARCH\_PASSWORD](https://github.com/elastiflow/documentation/blob/main/docs/config_ref/common/output_elasticsearch/README.md#ef_output_elasticsearch_password) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.elastiflow.com/additional-resources-reference-articles/faq/elasticsearch_auth_fail.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.