I have kubernetes running on AWS (EKS) (v.6.3.2 from containers in GCP) and dedicated nodes that run Elasticsearch.
So we want to export Cloudwatch logs there given we have kibana and everything else goes there.
Installed functionbeat and configured the lambda to run within the vpc and it appears that we can contact ES (which internally to VPC has no credentials configured - access is managed by acls) and yet I get the following error. Not sure why it is trying xpack and if there is anyway to disable it. The configuration reference says already that Xpack monitoring is disabled by default. I don't think we have xpack at all installed with ES.
Any idea what could be wrong
2019-01-28T18:44:50.849Z DEBUG [elasticsearch] elasticsearch/client.go:689 ES Ping(url=https://elasticsearch.domain.com:443)
2019-01-28T18:44:50.857Z DEBUG [elasticsearch] elasticsearch/client.go:712 Ping status code: 200
2019-01-28T18:44:50.857Z INFO elasticsearch/client.go:713 Connected to Elasticsearch version 6.3.2
2019-01-28T18:44:50.857Z DEBUG [elasticsearch] elasticsearch/client.go:731 GET https://elasticsearch.domain.com:443/_xpack?human=false
2019-01-28T18:44:50.863Z INFO [license-manager] licenser/manager.go:265 Cannot retrieve license, retrying later, error: error from server, response code: 400
2019-01-28T18:44:50.863Z DEBUG [license-manager] licenser/manager.go:274 License is too old, grace time remaining: 44m55.582262758s
END RequestId: fdbd99a7-fc75-4810-bcf4-232d6558cc42
REPORT RequestId: fdbd99a7-fc75-4810-bcf4-232d6558cc42 Duration: 15012.04 ms Billed Duration: 15000 ms Memory Size: 128 MB Max Memory Used: 62 MB
2019-01-28T18:44:53.969Z fdbd99a7-fc75-4810-bcf4-232d6558cc42 Task timed out after 3.01 seconds
Here is the functionbeat.yml config file:
description: "lambda function for cloudwatch logs"
- log_group_name: /aws/cloudtrail-events
description: "lambda function for SQS events"
- add_host_metadata: ~
- add_cloud_metadata: ~