Can not setup beat templates on elasticsearch nodes

security

(Li Cui) #1

Hello there,

I need to setup the index templates on metribeats (actually all beats, metricbeat is the first one).

I got the following:

[root@beatshost user1]# /usr/share/metricbeat/bin/metricbeat setup --template --c '/etc/metricbeat/metricbeat.yml' -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["https://elasticnode01:9200"]'
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://elasticnode01.hls.dxc.com:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security""]}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security""]}},"status":401}]
[root@beatshost user1]# curl -XGET -u elastic:changeme https://elasticnode01.hls.dxc.com:9200 {
"name" : "elasticnode01",
"cluster_name" : "myELK",
"cluster_uuid" : "EXvnfefiQN6vU24CkmTJNw",
"version" : {
"number" : "6.4.2",
"build_flavor" : "default",
"build_type" : "rpm",
"build_hash" : "04711c2",
"build_date" : "2018-09-26T13:34:09.098244Z",
"build_snapshot" : false,
"lucene_version" : "7.4.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
"tagline" : "You Know, for Search"
}
[root@beatshost user1]# /usr/share/metricbeat/bin/metricbeat setup --template --c '/etc/metricbeat/metricbeat.yml' -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["https://elasticnode01:9200"]'
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://elasticnode01:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security""]}}],"type":"security_exception","reason":"missing authentication token for REST request [/]","header":{"WWW-Authenticate":["Basic realm="security" charset="UTF-8"","Bearer realm="security""]}},"status":401}]

Tried use IP address instead of hostname...
[root@beatsnode user1]# /usr/share/metricbeat/bin/metricbeat setup --template --c '/etc/metricbeat/metricbeat.yml' -E output.logstash.enabled=false -E 'output.elasticsearch.hosts=["https://elasticnode1-IP:9200"]'
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://elasticnode1-IP:9200: Get https://elasticnode1-IP:9200: dial tcp elasticnode1-IP:9200: connect: connection refused]

Here is the mertricbeat.yml:
/////////////
...
setup.kibana:
host: "https://kibanahost:5601"
username: elastic
password: changeme
...
output.logstash:
hosts: ["logstashnodehost:5044"]
ssl.certificate_authorities: ["/opt/keys/my_g2.crt","/opt/keys/my_rootca1.crt"]
ssl.certificate: "/opt/keys/SvrCertificate.crt"
ssl.key: "/opt/keys/xxx-201710-yyy-key.pem"

/////////////////////////

This is the beat pipeline config file on Logstash:

input {
beats {
port => 5044
client_inactivity_timeout => 120
ssl => true
ssl_certificate_authorities => ["/opt/keys/my_g2.crt","/opt/keys/my_rootca1.crt"]
ssl_certificate => "/opt/keys/SvrCertificate.crt"
ssl_key => "/opt/keys/xxx-201710-yyy-pkcs8.pem"
ssl_verify_mode => "peer"
#ssl => false
}
}

output {
elasticsearch {
user => "logstash_ingest"
password => "mypass"
ssl => true
ssl_certificate_verification => true
cacert => "/opt/keys/myBundle2.crt"
action => "index"
hosts => ["elasticserchnode1"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}

}

============================

All beats work fine and they are sending data to Elasticsearch via logstash. We have x-pack installed and SSL enabled on all beats servers and ELK nodes.

After upgrade from 6.3.2 to 6.4.2, some errors occurred on indexes and we were suggested to reset up index templates... and now. when trying to setup index templates (metricbeat is the first), we hit this error and can not move forward...

I tried on packetbeat to setup index templates, same error.
Not sure what we should do to overcome this...

Please help..

Thanks

Li


(Tim Vernum) #2

This is really a beats question, so I moved your post there.

This error message explains the problem:

Couldn't connect to any of the configured Elasticsearch hosts.
Errors: [
  Error connection to Elasticsearch https://elasticnode01:9200: 
  401 Unauthorized: {"error":{
   "root_cause":[{"type":"security_exception",
     "reason":"missing authentication token for REST request [/]",

Your elasticsearch cluster has security enabled and you haven't configured metricbeat with a username and password.

See:


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.