Exporting logs to elasticsearch on kubernetes/aws: functionbeat - Cannot retrieve license

I have kubernetes running on AWS (EKS) (v.6.3.2 from containers in GCP) and dedicated nodes that run Elasticsearch.

So we want to export Cloudwatch logs there given we have kibana and everything else goes there.

Installed functionbeat and configured the lambda to run within the vpc and it appears that we can contact ES (which internally to VPC has no credentials configured - access is managed by acls) and yet I get the following error. Not sure why it is trying xpack and if there is anyway to disable it. The configuration reference says already that Xpack monitoring is disabled by default. I don't think we have xpack at all installed with ES.

Any idea what could be wrong

2019-01-28T18:44:50.849Z DEBUG [elasticsearch] elasticsearch/client.go:689 ES Ping(url=https://elasticsearch.domain.com:443)
2019-01-28T18:44:50.857Z DEBUG [elasticsearch] elasticsearch/client.go:712 Ping status code: 200
2019-01-28T18:44:50.857Z INFO elasticsearch/client.go:713 Connected to Elasticsearch version 6.3.2
2019-01-28T18:44:50.857Z DEBUG [elasticsearch] elasticsearch/client.go:731 GET https://elasticsearch.domain.com:443/_xpack?human=false
2019-01-28T18:44:50.863Z INFO [license-manager] licenser/manager.go:265 Cannot retrieve license, retrying later, error: error from server, response code: 400
2019-01-28T18:44:50.863Z DEBUG [license-manager] licenser/manager.go:274 License is too old, grace time remaining: 44m55.582262758s
END RequestId: fdbd99a7-fc75-4810-bcf4-232d6558cc42
REPORT RequestId: fdbd99a7-fc75-4810-bcf4-232d6558cc42 Duration: 15012.04 ms Billed Duration: 15000 ms Memory Size: 128 MB Max Memory Used: 62 MB
2019-01-28T18:44:53.969Z fdbd99a7-fc75-4810-bcf4-232d6558cc42 Task timed out after 3.01 seconds

Here is the functionbeat.yml config file:

functionbeat.provider.aws.deploy_bucket: "com.domain.functionbeat"


  • name: cloudwatch
    enabled: true
    type: cloudwatch_logs

    description: "lambda function for cloudwatch logs"


    • log_group_name: /aws/cloudtrail-events
  • name: sqs
    enabled: false
    type: sqs

    description: "lambda function for SQS events"


hosts: ["https://elasticsearch.domain.com:443"]


  • add_host_metadata: ~
  • add_cloud_metadata: ~

xpack.monitoring.enabled: false

setup.template.overwrite: true

Hello @GAHila,

You are not doing anything wrong. Currently, Functionbeat requires that the remote endpoint has at least a basic license, that license is free and you will get a few more things out of the box from your cluster.

We got ES 6.5 OSS packages.

I tried to install x-pack and got:

ERROR: X-Pack is not available with the oss distribution; to use X-Pack features use the default distribution

That probably means that with the current version of ES we cannot use functionbeat, right?

Exactly you will need to install the Elasticsearch non oss packages, I don't think in 6.5 you can install x-pack as a plugin.

Thank you, it's all clear now!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.