Filebeat proxy permissions?

agonzalez · November 30, 2016, 5:38pm

I have a nginx proxy restricting access to ES to PUT/POST only, but i am getting Forbidden in filebeat.log. Does filebeat need access to other URL locations?

I am allowing PUT and POST to /filebeat* index and this works:

curl -XPUT 'localhost:8080/filebeat-1.1.2016/test/1?pretty' -d'
{
"user" : "kimchy",
"post_date" : "2009-11-15T14:12:12",
"message" : "trying out Elasticsearch"
}'

but in filebeat logs i find forbidden error and dont get any log on ES.

2016-11-30T18:27:49+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden
2016-11-30T18:27:51+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden
2016-11-30T18:27:55+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden
2016-11-30T18:28:03+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden
2016-11-30T18:28:18+01:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.running=22 filebeat.harvester.started=22 libbeat.es.publish.read_bytes=1620 libbeat.publisher.published_events=1980 filebeat.harvester.open_files=22 libbeat.es.publish.write_bytes=680
2016-11-30T18:28:19+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden
2016-11-30T18:28:48+01:00 INFO Non-zero metrics in the last 30s: filebeat.harvester.open_files=1 libbeat.es.publish.read_bytes=324 libbeat.es.publish.write_bytes=136
2016-11-30T18:28:51+01:00 ERR Connecting error publishing events (retrying): 403 Forbidden

andrewkroh · November 30, 2016, 5:51pm

Can you turn on some logging on the nginx side to see what the requests are that are failing.

Filebeat 5 does a GET request to check the ES version. It can also check and install index templates depending on your config (GET/PUT to /_template/filebeat).

hartfordfive · November 30, 2016, 5:57pm

I ran into a similar situation in the past. I had forgotten to also white-list POST requests to the /_bulk API endpoint (or could be /{index}/_bulk if you've set a specific index name)

agonzalez · November 30, 2016, 6:10pm

yes, the /_bulk is the problem.

Why is filebeat using /_bulk and not /filebeat-xxx/_bulk? I just want to enable bulk post on /filebeat*

"POST /_bulk HTTP/1.1" 404 169 "-"

I have set index:

output:
elasticsearch:
hosts: ["xxxx:9200"]
index: filebeat

hartfordfive · November 30, 2016, 6:13pm

I think it will only include the index name in the URI if you specify the index name in the Filebeat config (output.elasticsearch.index: yourindexname-%{+yyyy.MM.dd}). I might be wrong, but @andrewkroh can probably confirm that for us.

agonzalez · November 30, 2016, 6:14pm

i have the index name set, but same.

output:
elasticsearch:
hosts: ["xxxx:9200"]
index: filebeat

hartfordfive · November 30, 2016, 6:16pm

By the way @andrewkroh, can you point me to the specific Go file that builds the URI for the POST request made to Elasticsearch? I'm curious to look a bit further into the low level details of it.

andrewkroh · November 30, 2016, 6:36pm

@hartfordfive The code is in the libbeat/outputs/elasticsearch package. Here's where the bulk request is being created https://github.com/elastic/beats/blob/master/libbeat/outputs/elasticsearch/bulkapi.go#L63

agonzalez · November 30, 2016, 6:41pm

@andrewkroh any idea why filebeat is using /_bulk instead of /filebeat-11.30.2016/_bulk or how to configure it? Thanks

andrewkroh · November 30, 2016, 6:48pm

Probably because there is support for sending events to different indices. It's easier and more efficient to send a single bulk request and write the various index values in the one bulk request rather than making multiple bulk requests (one for each index).

system · December 28, 2016, 6:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.