Elastic searchguard auditbeat

Hi. I've installed yet another instance of auditbeat for my SIEM. The configurations is same as other. But it can't connect to elastic because of not enough permissions (monitor/xpack/license/get).

Failed to connect to backoff(
            elasticsearch(https://192.168.192.124:9200)): 
                    Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_license endpoint, Auditbeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Auditbeat so it can verify the license.: could not retrieve the license information from the cluster: 403 Forbidden: 
                    {"error":{
                            "root_cause":[
                                    {"type":"security_exception",
                                     "reason":"no permissions for [cluster:monitor/xpack/license/get] and User [name=usr_logstash, backend_roles=[], requestedTenant=null]"}
                            ]

Should I create new permissions to 'monitor/xpack/license/get'? Can I disable check xpack licence? If no, why it is working on other auditbeat instances?

If you are not using the default distribution of Elasticsearch you probably need to install the OSS version of Auditbeat.

I'm using

elasticsearch -V
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Version: 7.3.2, Build: default/tar/1c1faf1/2019-09-06T14:40:30.409026Z, JVM: 12.0.2

Is it necessary to set auditbeat permissions (cluster:monitor/xpack/license/get) in searchguard? I'm not using any xpack modules.

I do not know. Have never used Searchguard.

i mean... Is it necessary auditbeat access to 'cluster:monitor/xpack/license/get' to work correctly? I think I don't have to access to xpack licence because I dont use xpack. Or I mistake?

Yes, the default distribution of Auditbeat requires license check.

1 Like

Thanks a lot.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.