ECE deployment cannot connect filebeats to kibana

JeanD-SYD · October 16, 2018, 1:35am

Hi,

I have deployment the on-premise ECE, following the guide. Just a simple POC, but it seems the the licence will expire before I can get some real data in the system.
Best to then stick with Splunk

3 server
ece-3a-01.ece-elastic.xyz
ece-3b-01.ece-elastic.xyz
ece-3c-01.ece-elastic.xyz
I have a wildcard DNS and Wildcard SSL certificate *.ece-elastic.xyz

I have deploy a single deployment kibana, no customization.
I have not modified or changed the default kibana deployment as deploy from ECE.

I installed 2 ubuntu 16.04 beats servers and installed filebeat-6.4.2-amd64.deb

I modified the filebeat.yml, but the setting seem a bit of a mystery and not well documented for this configuration.

I was told not to use the cloud.id: or cloud.auth as this is for the cloud version

Here are my setting
I have tried various combinations, but does any know what is should be pointed to.
eg
Elasticsearch
https://261f41b5d7114d2fb96c403bed80c148.ece-elastic.xyz:9243/
kibana
https://2f2122e03fe0499db11412a9e0b69b4a.ece-elastic.xyz:9243/

#-------------------------- Elasticsearch output ------------------------------
output.elasticsearch:

Array of hosts to connect to.

#hosts: ["localhost:9200"]

hosts: ["ece-3a-01.ece-elastic.xyz:9343"]

protocol: "https"
username: "elastic"
password: "3VC933BDccAl8Q90iZo0yJg9"

JeanD-SYD · October 16, 2018, 1:36am

this was with port :9343

ubuntu@filebeats-2:/etc/filebeat$ sudo filebeat setup --e
2018-10-16T01:13:50.719Z INFO instance/beat.go:544 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2018-10-16T01:13:50.720Z INFO instance/beat.go:551 Beat UUID: c3de4395-5173-4333-8a8a-b13e2ff374c9
2018-10-16T01:13:50.720Z INFO [beat] instance/beat.go:768 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c3de4395-5173-4333-8a8a-b13e2ff374c9"}}}
2018-10-16T01:13:50.720Z INFO [beat] instance/beat.go:777 Build info {"system_info": {"build": {"commit": "e193f6d68b25b7ddbe3a3ed8d60bc07fea1ef800", "libbeat": "6.4.2", "time": "2018-09-26T12:42:46.000Z", "version": "6.4.2"}}}
2018-10-16T01:13:50.720Z INFO [beat] instance/beat.go:780 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.10.3"}}}
2018-10-16T01:13:50.721Z INFO [beat] instance/beat.go:784 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2018-10-16T00:11:53Z","containerized":false,"hostname":"filebeats-2","ips":["127.0.0.1/8","::1/128","192.168.201.19/24","fe80::f816:3eff:fe76:28e5/64"],"kernel_version":"4.4.0-135-generic","mac_addresses":["fa:16:3e:76:28:e5"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"16.04.5 LTS (Xenial Xerus)","major":16,"minor":4,"patch":5,"codename":"xenial"},"timezone":"UTC","timezone_offset_sec":0,"id":"e947bef37f61461a800be9372cd93f9e"}}}
2018-10-16T01:13:50.721Z INFO [beat] instance/beat.go:813 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 26533, "ppid": 26532, "seccomp": {"mode":"disabled"}, "start_time": "2018-10-16T01:13:50.060Z"}}}
2018-10-16T01:13:50.722Z INFO instance/beat.go:273 Setup Beat: filebeat; Version: 6.4.2
2018-10-16T01:13:50.722Z INFO elasticsearch/client.go:163 Elasticsearch url: https://ece-3a-01.ece-elastic.xyz:9343
2018-10-16T01:13:50.723Z INFO pipeline/module.go:98 Beat name: filebeats-2
2018-10-16T01:13:50.723Z INFO elasticsearch/client.go:163 Elasticsearch url: https://ece-3a-01.ece-elastic.xyz:9343
2018-10-16T01:13:51.008Z ERROR elasticsearch/elasticsearch.go:214 Error connecting to Elasticsearch at https://ece-3a-01.ece-elastic.xyz:9343: Get https://ece-3a-01.ece-elastic.xyz:9343: net/http: HTTP/1.x transport connection broken: malformed HTTP status code "acceptable"
2018-10-16T01:13:51.008Z ERROR instance/beat.go:743 Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://ece-3a-01.ece-elastic.xyz:9343: Get https://ece-3a-01.ece-elastic.xyz:9343: net/http: HTTP/1.x transport connection broken: malformed HTTP status code "acceptable"]
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://ece-3a-01.ece-elastic.xyz:9343: Get https://ece-3a-01.ece-elastic.xyz:9343: net/http: HTTP/1.x transport connection broken: malformed HTTP status code "acceptable"]

JeanD-SYD · October 16, 2018, 1:36am

this was with port :9243

ubuntu@filebeats-2:/etc/filebeat$ sudo filebeat setup --e
2018-10-16T01:32:48.571Z INFO instance/beat.go:544 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2018-10-16T01:32:48.571Z INFO instance/beat.go:551 Beat UUID: c3de4395-5173-4333-8a8a-b13e2ff374c9
2018-10-16T01:32:48.571Z INFO [beat] instance/beat.go:768 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "c3de4395-5173-4333-8a8a-b13e2ff374c9"}}}
2018-10-16T01:32:48.572Z INFO [beat] instance/beat.go:777 Build info {"system_info": {"build": {"commit": "e193f6d68b25b7ddbe3a3ed8d60bc07fea1ef800", "libbeat": "6.4.2", "time": "2018-09-26T12:42:46.000Z", "version": "6.4.2"}}}
2018-10-16T01:32:48.572Z INFO [beat] instance/beat.go:780 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.10.3"}}}
2018-10-16T01:32:48.573Z INFO [beat] instance/beat.go:784 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2018-10-16T00:11:53Z","containerized":false,"hostname":"filebeats-2","ips":["127.0.0.1/8","::1/128","192.168.201.19/24","fe80::f816:3eff:fe76:28e5/64"],"kernel_version":"4.4.0-135-generic","mac_addresses":["fa:16:3e:76:28:e5"],"os":{"family":"debian","platform":"ubuntu","name":"Ubuntu","version":"16.04.5 LTS (Xenial Xerus)","major":16,"minor":4,"patch":5,"codename":"xenial"},"timezone":"UTC","timezone_offset_sec":0,"id":"e947bef37f61461a800be9372cd93f9e"}}}
2018-10-16T01:32:48.573Z INFO [beat] instance/beat.go:813 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/etc/filebeat", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 26581, "ppid": 26580, "seccomp": {"mode":"disabled"}, "start_time": "2018-10-16T01:32:47.910Z"}}}
2018-10-16T01:32:48.574Z INFO instance/beat.go:273 Setup Beat: filebeat; Version: 6.4.2
2018-10-16T01:32:48.574Z INFO elasticsearch/client.go:163 Elasticsearch url: https://ece-3a-01.ece-elastic.xyz:9243
2018-10-16T01:32:48.575Z INFO pipeline/module.go:98 Beat name: filebeats-2
2018-10-16T01:32:48.576Z INFO elasticsearch/client.go:163 Elasticsearch url: https://ece-3a-01.ece-elastic.xyz:9243
2018-10-16T01:32:49.131Z ERROR elasticsearch/elasticsearch.go:214 Error connecting to Elasticsearch at https://ece-3a-01.ece-elastic.xyz:9243: 404 Not Found: {"ok":false,"message":"Unknown cluster."}
2018-10-16T01:32:49.132Z ERROR instance/beat.go:743 Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://ece-3a-01.ece-elastic.xyz:9243: 404 Not Found: {"ok":false,"message":"Unknown cluster."}]
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://ece-3a-01.ece-elastic.xyz:9243: 404 Not Found: {"ok":false,"message":"Unknown cluster."}]

JeanD-SYD · October 16, 2018, 1:36am

ubuntu@filebeats-2:/etc/filebeat$ curl -sv '*' https://ece-3a-01.ece-elastic.xyz:9343

Rebuilt URL to: */
Trying ::1...
connect to ::1 port 80 failed: Connection refused
Trying 127.0.0.1...
connect to 127.0.0.1 port 80 failed: Connection refused
Failed to connect to * port 80: Connection refused
Closing connection 0
Rebuilt URL to: https://ece-3a-01.ece-elastic.xyz:9343/
Trying 10.243.196.19...
Connected to ece-3a-01.ece-elastic.xyz (10.243.196.19) port 9343 (#1)
found 148 certificates in /etc/ssl/certs/ca-certificates.crt
found 592 certificates in /etc/ssl/certs
ALPN, offering http/1.1
SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
```
   server certificate verification OK
```

   server certificate status verification SKIPPED

   common name: *.ece-elastic.xyz (matched)

   server certificate expiration date OK

   server certificate activation date OK

```
   certificate public key: RSA
```
```
   certificate version: #3
```
```
   subject: CN=*.ece-elastic.xyz
```

   start date: Sat, 13 Oct 2018 06:54:11 GMT

   expire date: Fri, 11 Jan 2019 06:54:11 GMT

   issuer: C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3

```
   compression: NULL
```
ALPN, server did not agree to a protocol

GET / HTTP/1.1
Host: ece-3a-01.ece-elastic.xyz:9343
User-Agent: curl/7.47.0
Accept: /

Connection #1 to host ece-3a-01.ece-elastic.xyz left intact
*▒▒▒▒▒No acceptable header received.

Alex_Piggott · October 16, 2018, 2:33pm

~~9343 is the transport protocol port, can you try 9243 which is the HTTPS port? I believe beats uses that (and curl definitely does)~~

Sorry I only read the last message, reading the rest now

Alex

Alex_Piggott · October 16, 2018, 2:50pm

OK I see the problem:

(Note first that 9243 is the correct port as described above)

Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://ece-3a-01.ece-elastic.xyz:9243: 404 Not Found: {"ok":false,"message":"Unknown cluster."}]

The formats of the cluster URLs are of the form <clusterid>.<domain> eg if your cluster Id (listed in the overview page on the UI / returned from the create API call) is 261f41b5d7114d2fb96c403bed80c148 and as you said your domain prefix is *.ece-elastic.xyz then your cluster URL would look like https://261f41b5d7114d2fb96c403bed80c148.ece-elastic.xyz:9243

So the error you see above is expected since ece-3a-01 is not a cluster ID

Now ... currently your 3 hosts are eg ece-3*-01.ece-elastic.xyz so you need to make your wildcard DNS point *.ece-elastic.xyz to a round-robin of the 3 ECE hosts (assuming you have a proxy role on each of them)

Once you have done that then you can check the DNS setup works by doing eg host ANYTHING.ece-elastic.xyz (or dig) and it should return one of the 3 IPs of ece-3a-01, ece-3b-01 and ece-3c-01

(At this point you can also set the cname in the settings page of the UI to ece-elastic.xyz and it will auto-generate the correct URLs on the cluster overview pages)

Once you have confirmed that then you would just set eg:

hosts: ["https://261f41b5d7114d2fb96c403bed80c148.ece-elastic.xyz:9243"]

protocol: "https"
username: "elastic"
password: "3VC933BDccAl8Q90iZo0yJg9"

(note: I'm assuming your setup is internal - otherwise you should change all the passwords etc )

and it should connect (note I used the cluster ID of elasticsearch not Kibana)

Does that make sense?

Sorry that all the network set-up is a pain (for a quick out-of-the box experience, we provide the ip.es.io service which just maps <IP>.ip.es.io to IP <IP> so you can route easily to a single node of an ECE install via <CLUSTERID>.<IP>.ip.es.io without having to mess about with DNS

Alex

JeanD-SYD · October 17, 2018, 12:13am

Good news

From the ECE the deployment:
elasticsearch
https://261f41b5d7114d2fb96c403bed80c148.ece-elastic.xyz:9243
kibana
https://2f2122e03fe0499db11412a9e0b69b4a.ece-elastic.xyz:9243

With the above added to the filebeats.yml
sudo vi /etc/filebeat/filebeat.yml

setup.kibana:
#host: "localhost:5601"
host: "https://2f2122e03fe0499db11412a9e0b69b4a.ece-elastic.xyz:9243"

output.elasticsearch:
#Array of hosts to connect to.
#hosts: ["localhost:9200"]
hosts: ["261f41b5d7114d2fb96c403bed80c148.ece-elastic.xyz:9243"]
#Optional protocol and basic auth credentials.
protocol: "https"
username: "elastic"
password: "3VC933BDccAl8Q90iZo0yJg9"

sudo filebeat modules enable system
sudo filebeat setup --e
sudo service filebeat start

system · October 31, 2018, 12:13am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat not connecting to elasticsearch cluster running with ECK Elastic Cloud on Kubernetes (ECK)	3	1045	September 14, 2021
Kibana ECE dashboard error Elastic Cloud Enterprise (ECE)	1	484	August 25, 2020
Filebeat unable to connect to ECE Elastic Cloud Enterprise (ECE)	10	2171	March 11, 2020
Filebeat cannot connect with Elasticsearch (ELK Stack setup for Suricata) Beats elastic-stack-security , filebeat	2	430	September 11, 2023
Metricbeat 6.3.0 tries to connect on 443 instead of 9243 Elastic Cloud Enterprise (ECE)	3	1218	September 10, 2018

ECE deployment cannot connect filebeats to kibana

Array of hosts to connect to.

Related topics