Auditbeat not is connecting to Elasticksearch

Adrian_Martinez_Doca · January 21, 2020, 1:53pm

Hi to all, i am configuring auditbeat in some servers, i could configure in one server correctly and i can see info in Kibana, but when i configure the other servers i have the same message error.

auditbeat: 2020-01-21T10:50:58.845-0300#011INFO#011template/load.go:88#011Template auditbeat-7.4.0 already exists and will not be overwritten.

the entire log sequence is this

Jan 21 10:50:10 server_test1 auditbeat: 2020-01-21T10:50:10.270-0300#011INFO#011[index-management]#011idxmgmt/std.go:289#011Loaded index template.
Jan 21 10:50:38 server_test1 auditbeat: 2020-01-21T10:50:38.725-0300#011INFO#011[monitoring]#011log/log.go:145#011Non-zero metrics in the last 30s#011{"monitoring": {"metrics": {"auditd":{"received_msgs":1116},"beat":{"cpu":{"system":{"ticks":6660,"time":{"ms":341}},"total":{"ticks":29860,"time":{"ms":1602},"value":29860},"user":{"ticks":23200,"time":{"ms":1261}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":115},"info":{"ephemeral_id":"a2920d1c-325b-414d-b9cf-62b7f2d8fb0f","uptime":{"ms":452920}},"memstats":{"gc_next":97531600,"memory_alloc":79333552,"memory_total":715694776,"rss":8192},"runtime":{"goroutines":49}},"libbeat":{"config":{"module":{"running":0}},"output":{"read":{"bytes":1990},"write":{"bytes":924}},"pipeline":{"clients":3,"events":{"active":4119,"retry":32}}},"system":{"load":{"1":0.14,"15":0.22,"5":0.29,"norm":{"1":0.035,"15":0.055,"5":0.0725}}}}}}
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.812-0300#011ERROR#011pipeline/output.go:100#011Failed to connect to backoff(elasticsearch(http://10.24.35.50:9200)): Connection marked as failed because the onConnect callback failed: resource 'auditbeat-7.4.0' exists, but it is not an alias
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.813-0300#011INFO#011pipeline/output.go:93#011Attempting to reconnect to backoff(elasticsearch(http://10.24.35.50:9200)) with 14 reconnect attempt(s)
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.813-0300#011INFO#011[publisher]#011pipeline/retry.go:189#011retryer: send unwait-signal to consumer
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.813-0300#011INFO#011[publisher]#011pipeline/retry.go:191#011 done
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.813-0300#011INFO#011[publisher]#011pipeline/retry.go:166#011retryer: send wait signal to consumer
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.813-0300#011INFO#011[publisher]#011pipeline/retry.go:168#011 done
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.814-0300#011INFO#011elasticsearch/client.go:743#011Attempting to connect to Elasticsearch version 7.4.0
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.842-0300#011INFO#011[index-management]#011idxmgmt/std.go:252#011Auto ILM enable success.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management.ilm]#011ilm/std.go:134#011do not generate ilm policy: exists=true, overwrite=false
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management]#011idxmgmt/std.go:265#011ILM policy successfully loaded.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management]#011idxmgmt/std.go:394#011Set setup.template.name to '{auditbeat-7.4.0 {now/d}-000001}' as ILM is enabled.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management]#011idxmgmt/std.go:399#011Set setup.template.pattern to 'auditbeat-7.4.0-*' as ILM is enabled.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management]#011idxmgmt/std.go:433#011Set settings.index.lifecycle.rollover_alias in template to {auditbeat-7.4.0 {now/d}-000001} as ILM is enabled.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.843-0300#011INFO#011[index-management]#011idxmgmt/std.go:437#011Set settings.index.lifecycle.name in template to {auditbeat-7.4.0 {"policy":{"phases":{"hot":{"actions":{"rollover":{"max_age":"30d","max_size":"50gb"}}}}}}} as ILM is enabled.
Jan 21 10:50:58 server_test1 auditbeat: 2020-01-21T10:50:58.845-0300#011INFO#011template/load.go:88#011Template auditbeat-7.4.0 already exists and will not be overwritten.

Please can you help me to know why this is happened?

Regards

jsoriano · January 21, 2020, 4:54pm

Hi @Adrian_Martinez_Doca,

Auditbeat writes by default to auditbeat-<version>, that should be an alias pointing to some specific index managed by ILM. If it is not an alias, Auditbeat detects it and avoids to start writing there, because it can be an index without a mapping, what can produce further problems.

This can happen for example if the the alias auditbeat-7.4.0 has been removed by mistake while some Auditbeat is running, in that case when Elasticsearch receives an event, it will create an empty index with this name to store it.

To solve it, stop all Auditbeat instances, remove or rename the auditbeat-7.4.0 index, and start Auditbeat again, what will reconfigure ILM.

Adrian_Martinez_Doca · January 21, 2020, 6:39pm

Thank you very much, your solution work for me.

system · February 11, 2020, 6:39pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.