Skip to main content
Version: 7.5

Elasticsearch Authentication Failure

The collector’s log indicates failed to bootstrap elasticsearch and unable to authenticate user [<username>] for REST request

SYMPTOM

The collector's log indicates a message similar to the following:

2023-09-23T18:05:19.604Z        error   bootstrapper[elasticsearch]     elasticsearch/bootstrap.go:147  failed to bootstrap elasticsearch. retrying...  {"code": "elasticsearch/bootstrap-failure", "reason": "error while creating default ilm policy - GET ilm policy error for ilm policy 'elastiflow'- status code 401 not expected - {\"error\":{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"root_cause\":[{\"header\":{\"WWW-Authenticate\":[\"Basic realm=\\\"security\\\" charset=\\\"UTF-8\\\"\",\"Bearer realm=\\\"security\\\"\",\"ApiKey\"]},\"reason\":\"unable to authenticate user [xxxxZZelastic] for REST request [/_ilm/policy/elastiflow]\",\"type\":\"security_exception\"}],\"type\":\"security_exception\"},\"status\":401}"}
github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.(*Bootstrap).Run
/tmp/flowcoll/pkg/outputs/elasticsearch/bootstrap.go:147
github.com/elastiflow/flowcoll/pkg/outputs/elasticsearch.NewCreateInstanceFunc.func1
/tmp/flowcoll/pkg/outputs/elasticsearch/instance_registration.go:155
github.com/elastiflow/flowcoll/pkg/instantiator.(*Instantiator).Run
/tmp/flowcoll/pkg/instantiator/instantiator.go:79

PROBLEM

The collector's Elasticsearch output is unable to authenticate with the Elasticsearch host(s) specified in EF_OUTPUT_ELASTICSEARCH_ADDRESSES.

SOLUTION

Ensure that EF_OUTPUT_ELASTICSEARCH_USERNAME or EF_OUTPUT_ELASTICSEARCH_PASSWORD has been entered correctly. Providing the correct username and password will correct this error. You can test the username and password manually using curl. For example:

curl -XGET https://127.0.0.1:9200/_cat/indices -u username:password --insecure

REFERENCE