Logstash-oss-with-opensearch-output-plugin failing to connect, 401 response

I am trying to connect my kubernetes logstash with opensearch using the oss plugin. I used to be able to connect before enabling fine-grained control on opensearch. Now I just get 401 responses. When I curl to opensearch from the pod, I am receiving a good response from opensearch, so I have to believe my config must be incorrect in my pipeline. Here is how I have things set up

output {
  opensearch {
            hosts => ["host:443"]
            index => "index_%{+YYYYMMdd}_v3"
            user => 'user'
            password => 'password'
     }
}

It sounds like an authentication issue but I’m not sure. @pablo @scrawfor would you have ideas to help @cgcats? thanks

@kris I’ll take it. Can you move it to the Security category?

@cgcats Your output is missing certificate configuration.

Try testing with the below first:

output {
  opensearch {
            hosts => ["host:443"]
            index => "index_%{+YYYYMMdd}_v3"
            user => 'user'
            password => 'password'
            ssl => true
            ssl_certificate_verification => false
            action => "create"
     }
}

If you’d like to secure the connection fully then add the following:

      ssl_certificate_verification => true
      cacert => "/usr/share/logstash/config/root-ca.pem"

Thanks so much for help, I ended up resolving my issue. I think this is a pretty uncommon issue but in case anyone else runs into it, I had previously tried to use an irsa role to authenticate with the logstash.rbac values. This ended up not working so I deleted the values but the values didn’t end up getting repopulated with the default ones and instead kept my custom service role. I had to manually set them to default, and then for good measure I deleted the service account as well. This got the 401s to go away.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.