trying to test auditbeat connectivity to elastic, connectivity seems fine only service is unavailable.
Wondering where I possible could see the RC, tried ingesting nodes' elasticsearch + audit logs, beat log, but nothing seems logged regarding this and tcp/ssldump is no good as I'm using https.
Appreciate any hints, TIA!
# /usr/share/auditbeat/bin/auditbeat test output -c /etc/auditbeat/auditbeat.yml
elasticsearch: https://<redacted>...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: <redacted>
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Get https://<redacted>: Service Unavailable
Wondering if would be an auditing issue... though I'm confident I'm using properly credentials, but maybe I should turn on auditing event logging, as I read from doc:
xpack.security.audit.enabled
Set to true to enable auditing on the node. The default value is false . This puts the auditing events in a dedicated file named <clustername>_audit.json on each node.
Increased beat's log level from warning to debug and just gets this:
2020-02-28T11:07:42.651+0100 DEBUG [keystore] keystore/keystore.go:125 accessing key 'INGEST_PROTOCOL' from the keystore
2020-02-28T11:07:42.651+0100 DEBUG [keystore] keystore/keystore.go:125 accessing key 'INGEST_USER' from the keystore
2020-02-28T11:07:42.651+0100 DEBUG [keystore] keystore/keystore.go:125 accessing key 'INGEST_PWD' from the keystore
2020-02-28T11:07:42.652+0100 DEBUG [keystore] keystore/keystore.go:125 accessing key 'INGEST_URL' from the keystore
2020-02-28T11:07:42.652+0100 INFO elasticsearch/client.go:174 Elasticsearch url: https://<redacted>
elasticsearch: https://<redacted>...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 62.243.41.249
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
2020-02-28T11:07:55.188+0100 DEBUG [elasticsearch] elasticsearch/client.go:733 ES Ping(url=https://<redacted>)
2020-02-28T11:07:55.196+0100 DEBUG [elasticsearch] elasticsearch/client.go:737 Ping request failed with: Get https://<redacted>: Service Unavailable
talk to server... ERROR Get https://<redacted>: Service Unavailable
'Service unavailable' wouldn't that possible imply some kind of permission issue on elastic side, and if how to get details logged somehow?
I'm puzzled by this, user attempted with has a role which got create_index,index,write on auditbeat-* same role which work for another user working for Windows auditbeats.
Thanks, already tried ingesting nodes' elasticsearch + audit logs, but nothing in these, wondering if I should enable auditing logs as I think it mighty be a permission issue for the user...
Same beat versions 7.6.0 and same output config except with different credentials (as I have forgot the password using in Windows keystores).
Keystores doesn't seem compatible among Wintel/Lintel clients So I created another User with same roles as the working Wintel clients' User and entered this in a Lintel keystore. If I hardwire known wrong credentials in yml' output section, I get the same error, so I think it's some kind on authentication error from Elastic.
Also tried with known 'Super User' credentials hardwired into output, but gives the same error with Service Unavailable.
Found the Wintel credential, but even that isn't wokring on my Lintel client.
If I enter bad password in Wintel I get this error:
talk to server... ERROR 401 Unauthorized:
But not on my Lintel, hm wondering why, netstat shows an established tcp socket to expected destination as also indicated by test output, so what may hinder the 'ping' test to fail with 'Service Unavailable' if it's not a authentication failure...
This 401 error is what I would expect if the problem were in the credentials used. Service Unavailable looks like a network or server-side problem, in Elasticsearch, or in Haproxy.
Would it be possible to try to do the output test directly from auditbeat to Elasticsearch? So we can discard some problem with the connectivity through haproxy.
No no, if I actually just starts the Auditbeat service on my Lintel box then it actually ships data just fine to Elastic through HAproxy like my Wintel clients do, even that 'test output' says 'Service Unavailable', very weird. What does test output ping actually do compared to sending data that might be different?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
I would expect a different error if the user wouldn't have enough privileges.
So I created another User with same roles as the working Wintel clients' User and entered this in a Lintel keystore. If I hardwire known wrong credentials in yml' output section, I get the same error, so I think it's some kind on authentication error from Elastic.
but running auditbeat it sends data just fine, so is it only the test output that fails...