dear friends, please help: I have several servers with beats, kibana, logstash and elasticsearch (these are not docker(!)). trying to send logs from metricbeat to elasticsearch via logstash. here is my metricbeat.yml config with elasticsearch output:
output.elasticsearch:
hosts: ["https://kibana-linux.elk.com:9200","https://datahot01.elk.com:9200","https://datahot02.elk.com:9200", "https: //datahot03.elk.com:9200", "https://datawarm01.elk.com:9200", "https://datawarm02.elk.com:9200", "https://datawarm03.elk.com: 9200", "https://datawarm04.elk.com:9200", "https://datawarm05.elk.com:9200"]
protocol: "https"
username: "remote_monitoring_user"
password: "PASSWORD"
ssl.certificate_authorities: ["/etc/metricbeat/elasticsearch-ca.pem"]
with this output, the logs are transferred to elasticsearch without any problems. but now when I want to send logs to elasticsearch via logstash I use the following logstash.yml config:
node.name: node-logstash03
path.data: /opt/logstash/data
path.logs: /opt/log/logstash
xpack.monitoring.enabled: true
xpack.monitoring.elasticsearch.username: "logstash_system"
xpack.monitoring.elasticsearch.password: "PASSWORD"
xpack.monitoring.elasticsearch.hosts: ["https://kibana-linux.elk.com:9200","https://datahot01.elk.com:9200","https://datahot02.elk.com: 9200", "https://datahot03.elk.com:9200", "https://datawarm01.elk.com:9200", "https://datawarm02.elk.com:9200", "https:// datawarm03.elk.com:9200", "https://datawarm04.elk.com:9200", "https://datawarm05.elk.com:9200"]
xpack.monitoring.elasticsearch.ssl.certificate_authority: "/etc/logstash/elasticsearch-ca.pem"
xpack.monitoring.elasticsearch.ssl.verification_mode: certificate
and my /etc/logstash/conf.d/beats_intra.conf
input {
beat {
port => 5044
ssl => true
ssl_certificate => "/etc/logstash/ca.crt"
ssl_key => "/etc/logstash/ca.pkcs8.key"
ssl_verify_mode => "peer"
ssl_certificate_authorities => "/etc/logstash/elasticsearch-ca.pem"
}
}
output {
elasticsearch {
hosts => ["https://kibana-linux.elk.com:9200","https://datahot01.elk.com:9200","https://datahot02.elk.com:9200", "https ://datahot03.elk.com:9200", "https://datawarm01.elk.com:9200", "https://datawarm02.elk.com:9200", "https://datawarm03.elk.com :9200", "https://datawarm04.elk.com:9200", "https://datawarm05.elk.com:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}"
cacert => ["/etc/logstash/elasticsearch-ca.pem"]
user => "elastic"
password => "PASSWORD"
}
}
metricbeat doesn't send data to logstash because it gets errors:
{"log.level":"error","@timestamp":"2022-08-28T22:02:56.020+0300","log.logger":"publisher_pipeline_output","log.origin":{"file. name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(async(tcp://[https://logstash03.elk.com:5044] :5044)): lookup https://logstash03.elk.com:5044: no such host","service.name":"metricbeat","ecs.version":"1.6.0"}
{"log.level":"warn","@timestamp":"2022-08-28T22:34:23.657+0300","log.logger":"transport","log.origin":{"file. name":"transport/tcp.go","file.line":52},"message":"DNS lookup failure "https://logstash03.elk.com:5044": lookup https://logstash03 .elk.com:5044: no such host","service.name":"metricbeat","ecs.version":"1.6.0"}
hostname logstash03.elk.com is in DNS on the managed server and I can telnet from the metricbeat server to logstash03.elk.com 5044
telnet logstash03.elk.com 5044
Trying 10.112.1.169...
Connected to logstash03.elk.com.
Escape character is '^]'.
there is a connection. I don't understand why there are errors...
my ELK version 8.3.3 (all components ELK Stack similar version 8.3.3)