Elastic searchguard auditbeat

Slava_Gavrilov · June 15, 2020, 11:41am

Hi. I've installed yet another instance of auditbeat for my SIEM. The configurations is same as other. But it can't connect to elastic because of not enough permissions (monitor/xpack/license/get).

Failed to connect to backoff(
            elasticsearch(https://192.168.192.124:9200)): 
                    Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_license endpoint, Auditbeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Auditbeat so it can verify the license.: could not retrieve the license information from the cluster: 403 Forbidden: 
                    {"error":{
                            "root_cause":[
                                    {"type":"security_exception",
                                     "reason":"no permissions for [cluster:monitor/xpack/license/get] and User [name=usr_logstash, backend_roles=[], requestedTenant=null]"}
                            ]

Should I create new permissions to 'monitor/xpack/license/get'? Can I disable check xpack licence? If no, why it is working on other auditbeat instances?

Christian_Dahlqvist · June 15, 2020, 11:58am

If you are not using the default distribution of Elasticsearch you probably need to install the OSS version of Auditbeat.

Slava_Gavrilov · June 15, 2020, 2:24pm

I'm using

elasticsearch -V
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Version: 7.3.2, Build: default/tar/1c1faf1/2019-09-06T14:40:30.409026Z, JVM: 12.0.2

Is it necessary to set auditbeat permissions (cluster:monitor/xpack/license/get) in searchguard? I'm not using any xpack modules.

Christian_Dahlqvist · June 15, 2020, 2:26pm

I do not know. Have never used Searchguard.

Slava_Gavrilov · June 15, 2020, 3:13pm

i mean... Is it necessary auditbeat access to 'cluster:monitor/xpack/license/get' to work correctly? I think I don't have to access to xpack licence because I dont use xpack. Or I mistake?

Christian_Dahlqvist · June 15, 2020, 3:14pm

Yes, the default distribution of Auditbeat requires license check.

Slava_Gavrilov · June 15, 2020, 3:15pm

Thanks a lot.

system · July 13, 2020, 5:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Licence check is making the auditbeat connection fail with AWS elasticsearch Beats auditbeat	7	436	May 18, 2023
Filebeat 6.7.0 not working with AWS Elasticsearch Beats filebeat	4	7333	May 2, 2019
AWS Elasticsearch service and filebeat Beats filebeat	3	524	November 27, 2020
Filebeat error Logstash	1	320	April 11, 2021
License error with Filebeat 6.7.1 Docker image and AWS ElasticSearch Beats license , filebeat	2	1087	June 5, 2019

Elastic searchguard auditbeat

Related Topics