I encounter an error while I tried to connect filebeat to my elk cluster:
# filebeat test output elasticsearch: <censored_server1>:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: <censored_server1> dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... ERROR 401 Unauthorized: Unauthorized
With password authentication all works fine, but isn't with certification authorization. I am sure all certs are valid, is it some internal flaw or I just doing something wrong?
Here is my config for filebeat:
# Wazuh - Filebeat configuration file output.elasticsearch: hosts: ["<censored_server1>:9200", "<censored_server2>:9200", "<censored_server3>:9200"] username: admin password: <censored> protocol: https ssl.certificate_authorities: - <valid-path>/certs/root-ca.pem ssl.certificate: "<valid-path>/certs/filebeat.pem" ssl.key: "<valid-path>/certs/filebeat.key" setup.template.json.enabled: true setup.template.json.path: '<valid-path>/wazuh-template.json' setup.template.json.name: 'wazuh' setup.ilm.overwrite: true setup.ilm.enabled: false filebeat.modules: - module: wazuh alerts: enabled: true archives: enabled: false
If that's not enough, please tell me what else should I attach for you to be able reproduce/possibly know about what is that error.
Edit: Third check of certificates... And that's definitely not their fault.