Filebeat-0SS throwing error while connecting with AWS ES

Rakesh_Joshi3107 · April 29, 2020, 3:51pm

Hi,

I'm trying to use Filebeat-OSS with AWS ES to ingest AWS ECS Container logs, I'm getting that Filebeat is not able to connect with ES.

"2020-04-29T15:40:54.266Z ERROR pipeline/output.go:100 Failed to connect to backoff(elasticsearch(https://xxx-us-east-1.es.amazonaws.com:443/)): Connection marked as failed because the onConnect callback failed: request checking for ILM availability failed: 401 Unauthorized: {"Message":"Your request: '/_xpack' is not allowed."} "

Here is my docker file

FROM docker.elastic.co/beats/filebeat-oss:7.6.2
COPY filebeat.yml /usr/share/filebeat/filebeat.yml
USER root
RUN chmod 777 /usr/share/filebeat/
RUN chown root:filebeat /usr/share/filebeat/
USER filebeat

Here is my filebeat.yml

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
output.elasticsearch:
  hosts: ['https://xxx.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: auto   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false

#============================== Xpack Monitoring ===============================

xpack.monitoring.enabled: false

And If I use Filebeat with Logstash for this, its working fine but I'm want directly to use Filebeat to get ECS exported fields which i cannot get with logstash.

Thanks,

Christian_Dahlqvist · April 29, 2020, 4:18pm

I believe you need to disable ILM rather than have it set to auto.

Rakesh_Joshi3107 · April 29, 2020, 4:34pm

I have tried with ilm.enabled: false, but still getting the same error.

Luca_Belluccini · April 29, 2020, 5:25pm

Please add also setup.ilm.enabled: false at the root of the configuration.

filebeat.yml

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
output.elasticsearch:
  hosts: ['https://xxx.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: false   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false
setup.ilm.enabled: false

Rakesh_Joshi3107 · April 29, 2020, 6:19pm

Thanks a lot @Luca_Belluccini, it worked.

Can you please help in another issue, i'm using filebeat as daemonset in AWS ECS and i'm not ECS exported fields. Basically i want to get some basic informations of docker containers to identify the logs(e.g. Container name, etc.).

Luca_Belluccini · April 29, 2020, 6:38pm

Can you try adding add_docker_metadata:

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
  processors:
  - add_docker_metadata: ~

Rakesh_Joshi3107 · April 29, 2020, 7:06pm

No @Luca_Belluccini, it didn't worked.

filebeat.inputs:
- type: container
  paths:
    - /var/lib/docker/containers/*/*.log
  processors:
  - add_docker_metadata: ~  
output.elasticsearch:
  hosts: ['https://vpc-elasticsearch-1-qb6jzysg4sqjyyiyrlmujrhc3i.us-east-1.es.amazonaws.com:443/']
  ilm.enabled: auto   
  index: "ecs-dev-%{+YYYY.MM.dd}"
setup.template:
  name: 'ecs-dev'
  pattern: 'ecs-dev-*'
  enabled: false  
setup.ilm.enabled: false ```

Luca_Belluccini · April 29, 2020, 7:14pm

Please check if Filebeat has access to the Docker sock as explained here
https://www.elastic.co/guide/en/beats/filebeat/master/add-docker-metadata.html

system · May 27, 2020, 7:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.