Auditbeat installation failed

error message:x509: certificate signed by unknown authority

[root@efk ~]# curl -f https://localhost:8220/api/status -k
{"name":"fleet-server","status":"HEALTHY"}[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]# curl -u elastic https://localhost:9200 -u elastic -k
Enter host password for user 'elastic':
Enter host password for user 'elastic':
{
  "name" : "es01",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "edHT5to3SoKgtbhETY2atg",
  "version" : {
    "number" : "8.5.3",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
    "build_date" : "2022-12-05T18:22:22.226119656Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
[root@efk ~]# openssl x509 -fingerprint -sha256 -noout -in /data/es/certs/es01/es01.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A
[root@efk ~]#
[root@efk ~]# cat /etc/auditbeat/auditbeat.yml | grep ssl.ca
  ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"
[root@efk ~]#
[root@efk ~]# sudo auditbeat setup
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.3.2.5:9200: Get "https://10.3.2.5:9200": x509: certificate signed by unknown authority]
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]#
[root@efk ~]# cd /opt/
containerd/ Elastic/
[root@efk ~]# cd /opt/Elastic/
[root@efk Elastic]# ll
total 4
drwxr-x--- 5 root root 4096 Jan  5 09:05 Agent
[root@efk Elastic]# cd Agent/
[root@efk Agent]# ll
total 11308
drwxr-x--- 4 root root       63 Jan  4 13:26 data
lrwxrwxrwx 1 root root       39 Jan  4 13:26 elastic-agent -> data/elastic-agent-0e1a73/elastic-agent
-rw------- 1 root root 10485800 Jan  5 09:05 elastic-agent-20230104-1.ndjson
-rw------- 1 root root     5399 Jan  4 13:27 elastic-agent-20230104.ndjson
-rw------- 1 root root    92540 Jan  5 09:16 elastic-agent-20230105.ndjson
-rw-r----- 1 root root     9164 Jan  4 13:26 elastic-agent.reference.yml
-rw------- 1 root root     1947 Jan  4 13:26 elastic-agent.yml
-rw------- 1 root root     9127 Jan  4 13:26 elastic-agent.yml.2023-01-04T13-26-55.1298.bak
-rw------- 1 root root     1438 Jan  4 13:27 fleet.enc
-rw------- 1 root root        0 Jan  4 13:26 fleet.enc.lock
-rw-r----- 1 root root    13675 Jan  4 13:26 LICENSE.txt
-rw-r----- 1 root root   929850 Jan  4 13:26 NOTICE.txt
-rw-r----- 1 root root      861 Jan  4 13:26 README.md
drwxr-x--- 4 root root       41 Jan  4 13:26 tls
drwxr-x--- 2 root root       91 Jan  4 13:26 vault
[root@efk Agent]# ./elastic-agent diagnostics collect
Created diagnostics archive "elastic-agent-diagnostics-2023-01-05T03-58-48Z-00.zip"
***** WARNING *****
Created archive may contain plain text credentials.
Ensure that files in archive are redacted before sharing.
*******************
[root@efk Agent]# ll
total 11852
drwxr-x--- 4 root root       63 Jan  4 13:26 data
lrwxrwxrwx 1 root root       39 Jan  4 13:26 elastic-agent -> data/elastic-agent-0e1a73/elastic-agent
-rw------- 1 root root 10485800 Jan  5 09:05 elastic-agent-20230104-1.ndjson
-rw------- 1 root root     5399 Jan  4 13:27 elastic-agent-20230104.ndjson
-rw------- 1 root root    92540 Jan  5 09:16 elastic-agent-20230105.ndjson
-rw-r--r-- 1 root root   554629 Jan  5 11:58 elastic-agent-diagnostics-2023-01-05T03-58-48Z-00.zip
-rw-r----- 1 root root     9164 Jan  4 13:26 elastic-agent.reference.yml
-rw------- 1 root root     1947 Jan  4 13:26 elastic-agent.yml
-rw------- 1 root root     9127 Jan  4 13:26 elastic-agent.yml.2023-01-04T13-26-55.1298.bak
-rw------- 1 root root     1438 Jan  4 13:27 fleet.enc
-rw------- 1 root root        0 Jan  4 13:26 fleet.enc.lock
-rw-r----- 1 root root    13675 Jan  4 13:26 LICENSE.txt
-rw-r----- 1 root root   929850 Jan  4 13:26 NOTICE.txt
-rw-r----- 1 root root      861 Jan  4 13:26 README.md
drwxr-x--- 4 root root       41 Jan  4 13:26 tls
drwxr-x--- 2 root root       91 Jan  4 13:26 vault

Perhaps this....

Hello, I have read it carefully, but it did not solve my problem.Checked everything I could, I don't know what's wrong.

[root@efk Agent]#  ./elastic-agent status
Status: HEALTHY
Message: (no message)
Applications:
  * fleet-server           (HEALTHY)
                           Running on policy with Fleet Server integration: d533ea20-8bee-11ed-9eeb-d1f71829fdc7
  * filebeat_monitoring    (HEALTHY)
                           Running
  * metricbeat_monitoring  (HEALTHY)
                           Running
  * metricbeat             (HEALTHY)
                           Running

[root@efk Agent]# cat /etc/auditbeat/auditbeat.yml | grep -B15 ssl.ca

# ---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["10.3.2.5:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "auditbeat-to-es:OG5TUWY0VUJISDJncG1ZMTJnYi06SEJDeklOdi1TMUc2a0Y3b28xYktNZw=="
  username: "elastic"
  password: "elastic@123"

  # If using Elasticsearch's default certificate
  ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"
[root@efk Agent]#
[root@efk Agent]#
[root@efk Agent]# sudo auditbeat setup
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.3.2.5:9200: Get "https://10.3.2.5:9200": x509: certificate signed by unknown authority]
[root@efk Agent]#



Auditbeat and elastic agent are 2 different components which are you referring to?

Did You install auditbeat separately?

Can you Share your entire auditbeat.yml?

Maybe I didn't express clearly, what I want to solve is the abnormal problem of auditbeat installation.

[root@efk Agent]# cat /etc/auditbeat/auditbeat.yml | egrep -v '^#|^$|^  #|^    #'
auditbeat.modules:
- module: auditd
  audit_rule_files: [ '${path.config}/audit.rules.d/*.conf' ]
  audit_rules: |
- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
- module: system
  datasets:
    - package # Installed, updated, and removed packages
  period: 2m # The frequency at which the datasets check for changes
- module: system
  datasets:
    - host    # General host information, e.g. uptime, IPs
    - login   # User logins, logouts, and system boots.
    - process # Started and stopped processes
    - socket  # Opened and closed sockets
    - user    # User information
  state.period: 12h
  user.detect_password_changes: true
  login.wtmp_file_pattern: /var/log/wtmp*
  login.btmp_file_pattern: /var/log/btmp*
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "10.3.2.5:5601"
output.elasticsearch:
  hosts: ["10.3.2.5:9200"]
  protocol: "https"
  username: "elastic"
  password: "elastic@123"

  ssl.ca_trusted_fingerprint: "2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A"

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

Try this just to see if it connects ... if it does then your trusted fingerprint is not valid ... perhaps check the docs here

openssl x509 -fingerprint -sha256 -noout -in ./ca.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'

Also to help debug from the auditbeat server

curl -u elastic https://localhost:9200 -u elastic -k -v

The -v will show what is expected from a certificate perspective

[root@efk tls]# openssl x509 -fingerprint -sha256 -noout -in /data/es/certs/es01/es01.crt | awk --field-separator="=" '{print $2}' | sed 's/://g'
2EF04A75EFC782E6B9022539F9F314FE58DE3F3F76A59CA5F06E617E6C73BE5A
[root@efk tls]#
[root@efk tls]# curl -u elastic https://localhost:9200 -u elastic -k -v
Enter host password for user 'elastic':
Enter host password for user 'elastic':
* About to connect() to localhost port 9200 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 9200 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
*       subject: CN=es01
*       start date: Dec 30 04:42:54 2022 GMT
*       expire date: Dec 29 04:42:54 2025 GMT
*       common name: es01
*       issuer: CN=Elastic Certificate Tool Autogenerated CA
* Server auth using Basic with user 'elastic'
> GET / HTTP/1.1
> Authorization: Basic ZWxhc3RpYzplbGFzdGljQDEyMw==
> User-Agent: curl/7.29.0
> Host: localhost:9200
> Accept: */*
>
< HTTP/1.1 200 OK
< X-elastic-product: Elasticsearch
< content-type: application/json
< content-length: 531
<
{
  "name" : "es01",
  "cluster_name" : "docker-cluster",
  "cluster_uuid" : "edHT5to3SoKgtbhETY2atg",
  "version" : {
    "number" : "8.5.3",
    "build_flavor" : "default",
    "build_type" : "docker",
    "build_hash" : "4ed5ee9afac63de92ec98f404ccbed7d3ba9584e",
    "build_date" : "2022-12-05T18:22:22.226119656Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}
* Connection #0 to host localhost left intact

This is a cert issue:

Did you try auditbeat with these settings?

Note the subject name for the cert is

* subject: CN=es01

You are trying to connect with

hosts: ["10.3.2.5:9200"]

the cert subject name and the host / IP you are connecting to do not match and so the certificate validation will fail, every time.

I suspect This is because the certs were created inside docker with only the subject name * subject: CN=es01 so the certificate validation will not work against any other subject name.

If you want to use other IPs / DNS subject names

Assuming you used the default docker-compose you would need to add the IP address here or a Valid DNS name

          "instances:\n"\
          "  - name: es01\n"\
          "    dns:\n"\
          "      - es01\n"\
          "      - localhost\n"\
          "    ip:\n"\
          "      - 127.0.0.1\n"\

Also if you want to do this you will need to remove the certs that have already been generated as the startup script will not regenerate them once they have been generated.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.