No log with elasticsearch and x-pack security enabled

Hi

Since orchestration installation, no log are created in elasticsearch despite web.config setup with x-pack authentication (no ‘default-*’ indice) and also no event in windows event viewer

<target name=“robotElasticBuffer” xsi:type=“BufferingWrapper” flushTimeout=“5000”
<target xsi:type=“ElasticSearch” name=“robotElastic” requireAuth=“true” username=“elastic” password="" index="{event-properties:item=indexName}-{date:format=yyyy.MM}" documentType=“logEvent” includeAllProperties=“true” layout="${message}" excludedProperties=“agentSessionId,tenantId,indexName” uri=":9200" /
</target

Orchestrator 2018.1

Elastic is up and running:_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .kibana cBSx-QSrQfyC_KqD04Forg 1 1 1 0 7.7kb 3.8kb
green open .security UFth26cVRSaiSMqrCOcq3A 1 1 5 0 37.1kb 18.5kb

Hi @jbeaumont,

I assume that you properly installed xpack following elastic instruction (when you try to access data,you should be prompted for credentials)

Username and password for elastic are case sensitive (already faced the issue).

Regarding the web config, you can try to revert your changes on web config and remove/install again Orchestrator UiPlateform.msi on the Orchestrator, keeping the existing database and entering the Elastic search authentication detail using the wizzard (handled since 2018 version) (note that there is no validation made by the wizzard on the correctness of the creds supplied)

Cheers

Thx Florent

As there is also no event in windows event viewer manager under application/Orchestrator , is it really an issue with elasticsearch ?

I think we must have an event from Orchestrator to tell about an issue with elastic credential

Have you got any suggestion to check Nlog is alive ??

The uipath platform is on live production now so I cannot plan to restart an installation

Regards

Jérôme

I’m not sure about the windows logs to be honest.
Could you confirm the when you put ESURL/default-*/_search on your browser, you are prompted for username and password?

If you are not, it means xpack is not setup properly.
Idealy, you should test the previous step from the Orchestrator if you can. maybe there is a port issue.

The issue your describe seem to be what occur when Orchestrator cannot send logs to ES, either due to wrong credendials or you supply credential when they would not be expected

Cheers

Newbie here.

Is the same index pattern supposed to work in Kibana as well as instructed in below Image. * gets all the logs, but for default* I get “No Results found ”

image.png836x93 5.25 KB

It usually does work since the pattern should be default-MM implying that you are using the default tenant.
What do you get the you use the command above (from elastic search) it should give you the list of available indices autogenerated by the Orchestrator?

Cheers

Thanks for the inputs! Was able to figure out the problem.

Fyi…I get this as one of the index default-2018.03

Any idea how efficient is Machine Learning feature in X-Pack, looks like it is available only in platinum version.

Hi Florent

I will try with another open source plugin: readonlyrest and I will change URI field in web.config: adding http:// before server name:port on our production platform

I already tried that on our development platform and it was OK with this new setup (bot’s events send successfully to ES and Orchestrator events send successfully to window event manager).

It is strange to have no log in window event manager if Ochestrator is unable to log bot’s events in ES

Hi

Finally it works with a correct URL in web.config. It must begin with http://.

And it also works with readonlyrest plugin which is open-source (whereas x-pack is under license)

Thx