Filebeat cannot setup

i wanna setup my filebeat but i have a report like this

[root@bdi-uat-splunkes filebeat]# filebeat setup
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://10.194.11.67:9200: 401 Unauthorized: {"error":{"root_cause":[{"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}}],"type":"security_exception","reason":"missing authentication credentials for REST request [/]","header":{"WWW-Authenticate":["Basic realm=\"security\" charset=\"UTF-8\"","Bearer realm=\"security\"","ApiKey"]}},"status":401}]

why?

btw how to make cert for filebeat

You have security enabled with TLS, but you're not sending any credentials to authenticate with elasticsearch. What do you mean make a cert for filebeat?

yes i have security with TLS.

i mean what should i do to make a credential to authenticate my elasticsearch?

If u haven't done this yet, elasticsearch-setup-passwords | Elasticsearch Guide [7.12] | Elastic

yes i did that, but i using elasticsearch-setup-passwords interactive. what should i do next?

Set the user/pass in the ES output in the config file. See Configure the Elasticsearch output | Filebeat Reference [7.12] | Elastic

basic authentication, API key authentication, or PKI certificate authentication?

basic

[root@bdi-uat-splunkes filebeat]# filebeat setup
Overwriting ILM policy is disabled. Set `setup.ilm.overwrite: true` for enabling.

Index setup finished.
Loading dashboards (Kibana must be running and reachable)
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://10.194.11.68:5601/api/status fails: fail to execute the HTTP GET request: Get "https://10.194.11.68:5601/api/status": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "Elastic Certificate Tool Autogenerated CA"). Response: .

still error

I'm assuming you're using the automatically generated self signed certs. You need to set output.elasticsearch.ssl.certificate_authorities and setup.kibana.ssl.certificate_authorities. See Configure SSL | Filebeat Reference [7.12] | Elastic

for .pem should i use from /etc/pki/client/cert.pem (elasticsearch authorities) and /etc/pki/root/ca.pem (kibana authorities) or from where?

btw there is a .key where should I get it?

So idk how u generated your SSL certs but if they're self signed than copy the cert from elasticsearch to the elasticsearch path and the kibana to the kibana path. If kibana and elasticsearch are using a keystore to hold the certs instead of on the filesystem, you'll have to use the Java keytool to extract them. You don't need to worry about the .key files for the certificate authority files.

now it's work. thank you so much Alex

1 Like

glad I could help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.