Filebeat Docker - Elasticsearch Host Issue

mwsprotte · November 29, 2022, 6:25pm

Hello Everyone! I'm trying to run Filebeat in a Docker Container folowing this documentation: https://www.elastic.co/guide/en/beats/filebeat/current/running-on-docker.html#_run_the_filebeat_setup but in the second step, when I run the folowing comand:

docker run \
--net=elastic docker.elastic.co/beats/filebeat:7.17.4 \
setup -E setup.kibana.host=0.0.0.0:5601 \
-E output.elasticsearch.hosts=["https://0.0.0.0:9200"]

I recieve this error:

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://0.0.0.0:9200: Get "https://0.0.0.0:9200": dial tcp 0.0.0.0:9200: connect: connection refused]

My Elasticsearch are already running in Docker and these are my hosts (by docker ps):

Elasticsearch: 0.0.0.0:9200
Kibana: 0.0.0.0:5061

Does anyone know the reason for this error?

stephenb · November 29, 2022, 6:51pm

Hi @mwsprotte Welcome to the community!

Docker Networking Issue not Elastic...

Another explanation

Might be worth reading... if you are new to docker

try using

host.docker.internal

docker run \
--net=elastic docker.elastic.co/beats/filebeat:7.17.4 \
setup -E setup.kibana.host=host.docker.internal:5601 \
-E output.elasticsearch.hosts=["https://host.docker.internal:9200"]

mwsprotte · November 29, 2022, 9:52pm

Hi, @stephenb
Using 'host.docker.internal' worked for me, thanks for this tip and the references!!

AnkurYogi · December 8, 2022, 8:19am

Hello @stephenb

I also received a similar error.

</ docker run \

docker.elastic.co/beats/filebeat:8.5.2
setup -E setup.kibana.host=172.18.0.3.0:5601
-E output.elasticsearch.hosts=["172.18.0.2:9200"]

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at http://172.18.0.2:9200: Get "http://172.18.0.2:9200": context deadline exceeded] >

AND

</ Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.1.6:9200: Get "https://192.168.1.6:9200": x509: certificate signed by unknown authority] >

I tried the above method but didn't work.

mwsprotte · December 9, 2022, 1:51pm

Hello, @AnkurYogi
I already had have this error. I solved this adding the line

-E output.elasticsearch.ssl.verification_mode="none"

This makes skip the SSL verification.

AnkurYogi · December 14, 2022, 7:13am

filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: true
    reload.period: 10s

filebeat.modules:
- module: checkpoint
  firewall:
    var.syslog_host: 0.0.0.0
    var.syslog_port: 9001
filebeat.autodiscover:
  providers:
    - type: docker
      hints.enabled: true
filebeat.inputs:
- type: filestream
  enabled: true
  paths:
    - /var/log/*.log
processors:
- add_cloud_metadata: ~

output.elasticsearch:
  hosts: '${ELASTICSEARCH_HOSTS:elasticsearch:9200}'
  username: '${ELASTICSEARCH_USERNAME:}'
  password: '${ELASTICSEARCH_PASSWORD:}'

This is my filebeat.docker.yml
But the problem here is the 9001 port isn't listening on the local server to receive the logs.
Any hint on why the udp port isn't running ?

stephenb · December 14, 2022, 3:18pm

This is a docker item... you need to map the port see here

something like add -p 9001:9001

system · January 11, 2023, 5:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.