Hi there, I noticed that Shield - the authentication plugin for Elasticsearch, is rejecting bulk requests from rsyslog agent with "authentication_failed" error but the data gets actually indexed within dozens of milliseconds after the error being logged. Elasticsearch admin's uid and pwd are configured properly in omelasticsearch action and bulkmode is set to "on".
Does omelasticsearch try to post without using user/password first and, in case of rejection, such as "authentication_failed", retries immediately after using credentials? Or maybe it tries to hit /_bulk first and if rejected sends logs individually? So, here is the rejected request as shown in Shield: @timestamp June 15th 2016, 16:54:33.322 _id AVVWRfbGgqqvLCvpH4ND event_type authentication_failed principal log-admin request_body ..."trace_token": "a7e7a79b-693e-4dfe-8523-baa9f54816fd"... uri /_bulk And here is the data that was written immediately after the rejection: @timestamp June 15th 2016, 16:54:33.327 _id AVVWRfVqgqqvLCvpH4M3 trace_token a7e7a79b-693e-4dfe-8523-baa9f54816fd Note that the trace_token in successful request was parsed out of the request body and matches exactly the trace_token in the rejected request. This indicates that both requests are trying to write the same log message identified by the trace_token value. Rejected requests tried to hit /_bulk URI 5 millis before the successful request managed to write the log message. Thoughts? Thanks, Alec _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
