Connecting metricbeat to elasticsearch using ssl connection

Elastic Stack Elasticsearch
1

Good afternoon, can you help with connecting metricbeat to elasticsearch wazuh
The file /etc/elasticsearch/elasticsearch.yml looks like this:

network.host: 0.0.0.0
node.name: elasticsearch
cluster.initial_master_nodes: elasticsearch

# Transport layer
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.transport.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.transport.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt

# HTTP layer
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
xpack.security.http.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
xpack.security.http.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt

# Elasticsearch authentication
xpack.security.enabled: true

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch

The file /etc/metricbeat/metricbeat/metricbeat.yml looks like this to me:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["localhost:9200"]
  # Protocol - either `http` (default) or `https`.
  protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "${ES_API_KEY}"
  #api_key: "xxxx"
  #username: "elastic"
  #password: "xxxxx"
  ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca/ca.crt"]
  ssl.certificate: "/etc/elasticsearch/certs/elasticsearch.crt"
  ssl.key: "/etc/elasticsearch/certs/elasticsearch.key"
  ssl.key_passphrase: "xxxxx"

But when checked with the command :

./metricbeat test output -c /etc/metricbeat/metricbeat.yml --path.home /usr/share/metricbeat/ --path.data /var/lib/metricbeat

elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ::1, 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... ERROR x509: certificate is not valid for any names, but wanted to match localhost

I get an authorization error, can you tell me what I'm doing wrong?

2

How did you generate cert? hostname, localhost or IP?
The hosts: ["localhost:9200"] value must match cert name in the subject or the alt name.

3

Hi @website Welcome to the community

What version?, you should always include that.

How what version did you install of elasticsearch?

You should not need these

This should suffice:

ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca/ca.crt"]

And then @Rios is asking the right question how did you create the elasticsearch certificate

4

Good afternoon I solved the problem, but there was an error with the address, I have version 7.17 installed, but after installing metricbeat, the data is not displayed in Kibana, what could be the reason?

2
21907×906 60.9 KB

5

11
111901×898 69.2 KB

6

Hi @website

Did you run setup command before starting metricbeat?

That is a crucial step...

metricbeat setup -e

if you did not you will need to delete the metricbeat index then run setup and try again.

Also did you check in discover to see if you are actually getting data?

I see you are trying the prometheus module ... are you sure it is configured correctly?

Following the quick start helphttps://www.elastic.co/guide/en/beats/metricbeat/7.17/metricbeat-installation-configuration.html? your would just be with the prometheus module

Did you look at the metricbeat logs and see if there any other issues?

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.