I have a nginx proxy restricting access to ES to PUT/POST only, but i am getting Forbidden in filebeat.log. Does filebeat need access to other URL locations?
I am allowing PUT and POST to /filebeat* index and this works:
Can you turn on some logging on the nginx side to see what the requests are that are failing.
Filebeat 5 does a GET request to check the ES version. It can also check and install index templates depending on your config (GET/PUT to /_template/filebeat).
I ran into a similar situation in the past. I had forgotten to also white-list POST requests to the /_bulk API endpoint (or could be /{index}/_bulk if you've set a specific index name)
I think it will only include the index name in the URI if you specify the index name in the Filebeat config (output.elasticsearch.index: yourindexname-%{+yyyy.MM.dd}). I might be wrong, but @andrewkroh can probably confirm that for us.
By the way @andrewkroh, can you point me to the specific Go file that builds the URI for the POST request made to Elasticsearch? I'm curious to look a bit further into the low level details of it.
Probably because there is support for sending events to different indices. It's easier and more efficient to send a single bulk request and write the various index values in the one bulk request rather than making multiple bulk requests (one for each index).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.