Filebeat-0SS throwing error while connecting with AWS ES

Hi,

I'm trying to use Filebeat-OSS with AWS ES to ingest AWS ECS Container logs, I'm getting that Filebeat is not able to connect with ES.

"2020-04-29T15:40:54.266Z ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(https://xxx-us-east-1.es.amazonaws.com:443/)): Connection marked as failed because the onConnect callback failed: request checking for ILM availability failed: 401 Unauthorized: {"Message":"Your request: '/_xpack' is not allowed."} "

Here is my docker file

FROM docker.elastic.co/beats/filebeat-oss:7.6.2
COPY filebeat.yml /usr/share/filebeat/filebeat.yml
USER root
RUN chmod 777 /usr/share/filebeat/
RUN chown root:filebeat /usr/share/filebeat/
USER filebeat

Here is my filebeat.yml

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
output.elasticsearch:
  hosts: ['https://xxx.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: auto   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false  

#============================== Xpack Monitoring ===============================

xpack.monitoring.enabled: false

And If I use Filebeat with Logstash for this, its working fine but I'm want directly to use Filebeat to get ECS exported fields which i cannot get with logstash.

Thanks,

I believe you need to disable ILM rather than have it set to auto.

I have tried with ilm.enabled: false, but still getting the same error.

Please add also setup.ilm.enabled: false at the root of the configuration.

filebeat.yml

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
output.elasticsearch:
  hosts: ['https://xxx.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: false   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false
setup.ilm.enabled: false
1 Like

Thanks a lot @Luca_Belluccini, it worked.

Can you please help in another issue, i'm using filebeat as daemonset in AWS ECS and i'm not ECS exported fields. Basically i want to get some basic informations of docker containers to identify the logs(e.g. Container name, etc.).

Can you try adding add_docker_metadata:

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
  processors:
  - add_docker_metadata: ~

No @Luca_Belluccini, it didn't worked.

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
  processors:
  - add_docker_metadata: ~  
output.elasticsearch:
  hosts: ['https://vpc-elasticsearch-1-qb6jzysg4sqjyyiyrlmujrhc3i.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: auto   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false  
setup.ilm.enabled: false ```

Please check if Filebeat has access to the Docker sock as explained here
https://www.elastic.co/guide/en/beats/filebeat/master/add-docker-metadata.html

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.