ERROR when filebeat test output talk to server


I encounter an error while I tried to connect filebeat to my elk cluster:

# filebeat test output
elasticsearch: <censored_server1>:9200...
  parse url... OK
    parse host... OK
    dns lookup... OK
    addresses: <censored_server1>
    dial up... OK
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... ERROR 401 Unauthorized: Unauthorized

With password authentication all works fine, but isn't with certification authorization. I am sure all certs are valid, is it some internal flaw or I just doing something wrong?

Here is my config for filebeat:

# Wazuh - Filebeat configuration file
  hosts: ["<censored_server1>:9200", "<censored_server2>:9200", "<censored_server3>:9200"]
  username: admin
  password: <censored>
  protocol: https
    - <valid-path>/certs/root-ca.pem
  ssl.certificate: "<valid-path>/certs/filebeat.pem"
  ssl.key: "<valid-path>/certs/filebeat.key"
setup.template.json.enabled: true
setup.template.json.path: '<valid-path>/wazuh-template.json' 'wazuh'
setup.ilm.overwrite: true
setup.ilm.enabled: false

  - module: wazuh
      enabled: true
      enabled: false

If that's not enough, please tell me what else should I attach for you to be able reproduce/possibly know about what is that error.

Edit: Third check of certificates... And that's definitely not their fault.


401 Error would have something to do with authentication of your user,

does the credentials are correct ? and did you ensure to give your "admin" user sufficent permissions ?

Admin have right permission, with password authentication all works fine, but I need to do it via certificates. There is a way to login that way?

Just to confirm, you want to use PKI auth - PKI user authentication | Elasticsearch Guide [7.13] | Elastic?

Yes, but it doesn't work

You need a Gold or above license for that to work - Subscriptions | Elastic Stack Products & Support | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.