Logstash 401 error connecting to opensearch

Versions

OpenSearch version 2.9.0
ES logstash version 8.9.2
logstash-output-opensearch plugin 2.0.2.

Describe the issue:

Unable to connect to OpenSearch, I always get status 401
Verified : User and pwd are correct.

Tried different servers (fresh install), same result.

Configuration:

output {
opensearch {
hosts => [“https://1.2.3.4:9200”]
user => “admin”
password => “somepassword”
index => “logstash-logs-%{+YYYY.MM.dd}”
ssl_certificate_verification => false
}
}

**Relevant Logs **:
credentials are correct, verified with curl
curl https://1.2.3.4:9200 -u admin:somepassword -k
—> returns with data

Log from
[Ruby-0-Thread-9: /usr/share/logstash/vendor/bundle/jruby/2.6.0/gems/logstash-output-opensearch-2.0.2-java/lib/logstash/outputs/opensearch/http_client/pool.rb:217] opensearch - Attempted to resurrect connection to dead OpenSearch instance, but got an error {:url=>“https://admin:xxxxxx@1.2.3.4:9200/”, :exception=>LogStash::Outputs::OpenSearch::HttpClient::Pool::BadResponseCodeError, :message=>“Got response code ‘401’ contacting OpenSearch at URL ‘https://1.2.3.4:9200/’”}

Any advise?

Hey @servando

two things I noticed

  1. your using HTTPS
  2. you dont have certificate configured in Logstash

Perhaps try this, correct you FQDN/Ip Address

output {
  opensearch {
    hosts => ["https://opensearch.domain.com:9200"]
    auth_type => {
              type => 'basic'
              user => 'admin'
              password => 'changeit'
            }
    ecs_compatibility => disabled
    ssl => true
    ssl_certificate_verification => false
    cacert => "/opt/logstash-8.6.1/root-ca.pem" <<<<-Logstash needs  access to you certificate, 
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
     }
  }

I made the changes suggested and I copied the root-ca.pem file from the opensearch node (even generated a new cert for the logstash node)
I still get the 401 error message

fresh install with the initial config and now it works.
Do not know why the other ones were failing.

Thank you @Gsmitt

1 Like

No problem, Glad it work for ya :+1: