Can't setup Winlogbeat or Filebeat dashboards for Kibana


Firstly, sorry for any mistake in my english. I'm not a native english speaker :slight_smile:

Hope can someone help me with this.

I have installed and configured ELK with "Basic Security plus HTTPS", I receive logs from multiples server authenticated with API keys. So it's working well here.

The only thing that I can't understand is why I can't setup dashboard with Filebeat or Winlogbeat?

When I run the command sudo filebeat setup --dashboards on Debian or .\winlogbeat.exe setup --dashboards on Windows, this end with the following error:

Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}.

I know it's not recommended in production environnement but the API Keys are using the "elastic" user for testing purposes and to avoid permissions problems.
I'll change this once the problem is solved.

FYI, the CA certificate is installed on the clients and the server.

Did I miss something?

Please find all the configuration files below.

Filebeat /etc/filebeat/filebeat.yml:

- type: log
  enabled: false
    - /var/log/*.log

- type: filestream
  enabled: false
    - /var/log/*.log

  path: ${path.config}/modules.d/*.yml
  reload.enabled: false

  index.number_of_shards: 1

  host: "https://kibana:5601"

  hosts: ["https://kibana:9200"]
  protocol: "https"
  api_key: 'api:key'

  enabled: auto
  rollover_alias: "filebeat-srvlinux"
  pattern: "{now/d}-000001"

  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~

Kibana /etc/kibana/kibana.yml: "" "kibana.domain.lan"

elasticsearch.hosts: ["https://kibana.domain.lan:9200"]
elasticsearch.username: "kibana_system"
elasticsearch.ssl.certificateAuthorities: [ "/etc/kibana/certs/DOMAIN-CA.crt" ]

server.ssl.certificate: /etc/kibana/certs/srv-log.crt
server.ssl.key: /etc/kibana/certs/srv-log.key
server.ssl.enabled: true

xpack.encryptedSavedObjects.encryptionKey: censored
xpack.reporting.encryptionKey: censored censored

Elasticsearch /etc/elasticsearch/elasticsearch.yml: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch domain_elk SRV-LOG
http.port: 9200
discovery.seed_hosts: [""]
discovery.type: single-node true true certificate required /etc/elasticsearch/certs/elastic-certificates.p12 /etc/elasticsearch/certs/elastic-certificates.p12 true /etc/elasticsearch/certs/http-SRV-LOG.crt /etc/elasticsearch/certs/http-SRV-LOG.key [ "/etc/elasticsearch/certs/DOMAIN-CA.crt" ]

Thanks for any kind of help!

I think you are hitting this bug. Kibana authentication is not inheriting the Elasticsearch output api_key value · Issue #24015 · elastic/beats · GitHub

Hi! Thanks for your answer.

As you suggested, I've set the header manually in the filebeat.yml, and it worked :slight_smile:

This look like this now:

  host: "https://kibana:5601"
    Authorization: "ApiKey censored_base64_key"

Thanks for your help!


I'm back with some problems.
The workaround works well on Windows Systems with Winlogbeat but not on Linux with Filebeat.
Still the same error.

What could be missing?

Are you getting the same 401 error? If so then can you show your config. Maybe it's an indentation issue with the options. The code for Windows and Linux is the same so it should behave the same.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.