Failed to fetch X-pack information from ES - Failure to reach live ES Cluster

I'm currently configuring Logstash ArcSight Module, however I've reached a road-block, error message below:

Sending Logstash logs to /usr/share/logstash/logs which is now configured via
[2022-10-24T10:09:00,755][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/
[2022-10-24T10:09:00,761][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.4.3", "jruby.version"=>"jruby (2.6.8) 2022-09-13 98d69c9461 OpenJDK 64-Bit Server VM 17.0.4+8 on 17.0.4+8 +indy +jit [x86_64-linux]"}
[2022-10-24T10:09:00,770][INFO ][logstash.runner          ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -XX:+HeapDumpOnOutOfMemoryError,, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true,, --add-exports=jdk.compiler/, --add-exports=jdk.compiler/, --add-exports=jdk.compiler/, --add-exports=jdk.compiler/, --add-exports=jdk.compiler/, --add-opens=java.base/, --add-opens=java.base/, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/,]
[2022-10-24T10:09:00,952][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-10-24T10:09:01,727][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-10-24T10:09:02,257]**[ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"No Available connections"}**
[2022-10-24T10:09:02,282][**ERROR][logstash.licensechecker.modulelicensechecker] Failed to fetch X-Pack information from Elasticsearch. This is likely due to failure to reach a live Elasticsearch cluster.**
[2022-10-24T10:09:02,282][WARN ][logstash.config.modulescommon] The arcsight module is not enabled. Please check the logs for additional information.
[2022-10-24T10:09:02,286][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
[2022-10-24T10:09:02,345][INFO ][logstash.runner          ] Logstash shut down.
[2022-10-24T10:09:02,354][FATAL][org.logstash.Logstash    ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/ ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/ ~[jruby.jar:?]
        at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/bootstrap/environment.rb:91) ~[?:?]

The module was configured with these commands:

 ./logstash --modules arcsight --setup --path.settings /etc/logstash/ -M "arcsight.var.inputs=smartconnector" -M "arcsight.var.elasticsearch.hosts=[Private IP]:9200" -M "arcsight.var.elasticsearch.username=elastic" -M "arcsight.var.elasticsearch.password=changeme" -M "[Private IP]:5601" -M "arcsight.var.kibana.username=kibana" -M "arcsight.var.kibana.password=changeme" &

I am very new to Elasticsearch and judging from the logs it sems to suggest the ES node is unreachable? I must confirm that the node ES, Kibana and Logstash are all on the same machine. Netstat has confirmed that the ES node is currently using a private address to listen on port 9200, also on a on port 5601.

Any help or advice on how to troubleshoot will be highly appreciated.



It seems you have two issues:

  • LS cannot see ES for licensing - Do you assigned proper rights to the user?
  • The arcsight module is not enabled - Have you enabled/configured as mentioned in the documentation

Version 8.4 of ELK comes with basic security as default. So I should have configured the Logstash instance to can contact the ES instance securely so this is done by adding the X509 CA created when Elastic is initially installed located in /etc/elasticsearch/certs/http_ca.crt.
Logstash will need a copy of that, and this I did by creating a certs directory in /etc/logstash

I was then able to run a test pipeline from the command-line successfully

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.