Filebeat doesn't work with AWS ES domain

hairongGao · November 17, 2020, 11:52am

Hi Team,
I've been trying to make filebeat working with AWS ES domain , but I keep getting this error:

2020-11-17T11:42:25.740Z ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(https://search-pogo-logging-3oegsu4hacueitzstmqkmj2jkm.us-east-1.es.amazonaws.com:443)): Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_license endpoint, Filebeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Filebeat so it can verify the license.: unauthorized access, could not connect to the xpack endpoint, verify your credentials

Here is the configurations for filebeat:

 ---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"

    # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
    #filebeat.autodiscover:
    #  providers:
    #    - type: kubernetes
    #      node: ${NODE_NAME}
    #      hints.enabled: true
    #      hints.default_config:
    #        type: container
    #        paths:
    #          - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_cloud_metadata:
      - add_host_metadata:

    cloud.id: ${ELASTIC_CLOUD_ID}
    cloud.auth: ${ELASTIC_CLOUD_AUTH}

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
      username: ${ELASTICSEARCH_USERNAME}
      password: ${ELASTICSEARCH_PASSWORD}
    setup.ilm.enabled: false

I'm using docker.elastic.co/beats/filebeat:7.10 and AWS ES 7.8 , any comments/helps will be really appreciated!

Wolfram_Haussig · November 17, 2020, 1:49pm

Hi,

Welcome to this forum!

I think you have the wrong FileBeat version: ElasticSearch on AWS is not the same as the Elastic ElasticSearch. Both build upon the opensource code of ElasticSearch but they are not the same. Because of this the closedsource version of Elastic FileBeat is incompatible with the AWS Elasticsearch - in your case it fails to read the license endpoint which does not exist.

Therefore, you cannot use the standard version of FileBeat - you have to use the opensource version(I did not find the 7.10 version yet): docker.elastic.co/beats/filebeat-oss:7.9.3

Best regards
Wolfram

hairongGao · November 17, 2020, 3:37pm

YOU.ARE.THE.MAN
Thanks so much for this, I've been trapped for 3 hrs and finally it's working!

warkolm · November 17, 2020, 8:12pm

FYI there is no closed source version of Filebeat.

system · December 15, 2020, 10:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to connect AWS ES cluster Beats filebeat	4	2194	July 7, 2021
Filebeat 6.7.0 not working with AWS Elasticsearch Beats filebeat	4	7333	May 2, 2019
AWS Elasticsearch service and filebeat Beats filebeat	3	524	November 27, 2020
Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license: error from server, response code: 500 Beats filebeat	6	4817	July 12, 2019
License error with Filebeat 6.7.1 Docker image and AWS ElasticSearch Beats license , filebeat	2	1087	June 5, 2019

Filebeat doesn't work with AWS ES domain

Related topics