Hi,
I think I have stumbled upon a bug/feature when setting up filebeat or any other beat in my environment. I initially opened this as an issue at the github beats repository but was told that this was the right place to discuss this issue.
Problem description
I'm running everything on a kubernetes cluster with the official elastic operator and the cluster setup worked pretty straight forward (see setup information below). In the kubernetes environment I'm using an nginx ingress controller (configuration below) which only allows https traffic on port 443 to the elastic stack. It is possible to sucessfully connect to the elastic stack and issue curl commands. However, when trying to setup filebeat (configuration below), or any other beat, on an ec2 instance to index the data into elasticsearch I'm running into connection issues as can be seen below in the debug section.
Debugging/Analysis steps taken
When I allow traffic on port 80 the setup works fine. This lead me to the conclusion that something might not be implemented in the correct way. After analysing the debug log I had a closer look at the file libbeat/outputs/elasticsearch/client.go where the method execRequest is responsible for executing the http ping request. As far as my golang knowledge goes, which is essentially non existent, the call http.NewRequest
in line 801 ignores the https setting and tries to connect to the given url on port 80.
Question
- Is this behaviour intended for the different beats?
- If so, since elastic is pushing it's SIEM features and encrypted traffic is becoming more and more present, how should I setup filebeat in an https only environment.
Setup details
elastic kubernetes operator: 1.0.1
elastic version: 7.6.2
filebeat version: 7.6.2
master nodes: 3
data nodes: 2
kibana nodes: 1
filebeat configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/cron
fields:
log_type: cron
output.elasticsearch:
enabled: true
hosts: ["https://es.domain.tld:443"]
protocol: "https"
username: xxx
password: xxx
index: "filebeat-%{+yyyy.MM.dd}"
ssl.enabled: true
ssl.verification_mode: full
ingress configuration
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: es-ingress
namespace: <namespace>
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# "413 Request Entity Too Large" uploading plugins, increase client_max_body_size
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
# For nginx-ingress controller < 0.9.0.beta-18
ingress.kubernetes.io/ssl-redirect: "true"
# "413 Request Entity Too Large" uploading plugins, increase client_max_body_size
ingress.kubernetes.io/proxy-body-size: 50m
ingress.kubernetes.io/proxy-request-buffering: "off"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
tls:
- hosts:
- <es.domain.tld>
rules:
- host: <es.domain.tld>
http:
paths:
- path: /
backend:
serviceName: <clustername>-es-http
servicePort: 9200
Debug log
[user@host ~]$ sudo filebeat setup -c /etc/filebeat/filebeat.yml -e -d "*"
2020-04-17T08:45:19.595Z INFO instance/beat.go:622 Home path: [/usr/share/filebeat] Config path: [/etc/filebeat] Data path: [/var/lib/filebeat] Logs path: [/var/log/filebeat]
2020-04-17T08:45:19.595Z DEBUG [beat] instance/beat.go:674 Beat metadata path: /var/lib/filebeat/meta.json
2020-04-17T08:45:19.596Z INFO instance/beat.go:630 Beat ID: 1b1ff016-e1cc-457b-b093-149575aa0e9b
2020-04-17T08:45:19.596Z INFO [beat] instance/beat.go:958 Beat info {"system_info": {"beat": {"path": {"config": "/etc/filebeat", "data": "/var/lib/filebeat", "home": "/usr/share/filebeat", "logs": "/var/log/filebeat"}, "type": "filebeat", "uuid": "1b1ff016-e1cc-457b-b093-149575aa0e9b"}}}
2020-04-17T08:45:19.596Z INFO [beat] instance/beat.go:967 Build info {"system_info": {"build": {"commit": "6a2e173b41fb655ef2226c92833ac0a469ed1577", "libbeat": "7.6.2", "time": "2020-03-05T09:08:43.000Z", "version": "7.6.2"}}}
2020-04-17T08:45:19.597Z INFO [beat] instance/beat.go:970 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":1,"version":"go1.13.7"}}}
2020-04-17T08:45:19.598Z INFO [beat] instance/beat.go:974 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2020-03-17T12:56:05Z","containerized":false,"name":"xxxxxxxxxxx","ip":["127.0.0.1/8","::1/128","xxx.xxx.xxx.xxx/xx","xxx","xxx","xxx","172.17.0.1/16",""],"kernel_version":"4.14.171-105.231.amzn1.x86_64","mac":["xxx","xxx","xxx"],"os":{"family":"redhat","platform":"amzn","name":"Amazon Linux AMI","version":"2018.03","major":2018,"minor":3,"patch":0},"timezone":"UTC","timezone_offset_sec":0,"id":""}}}
2020-04-17T08:45:19.599Z INFO [beat] instance/beat.go:1003 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/home/xxx/", "exe": "/usr/share/filebeat/bin/filebeat", "name": "filebeat", "pid": 4798, "ppid": 4797, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2020-04-17T08:45:18.780Z"}}}
2020-04-17T08:45:19.600Z INFO instance/beat.go:298 Setup Beat: filebeat; Version: 7.6.2
2020-04-17T08:45:19.600Z DEBUG [beat] instance/beat.go:324 Initializing output plugins
2020-04-17T08:45:19.600Z INFO elasticsearch/client.go:174 Elasticsearch url: https://es.domain.tld:443
2020-04-17T08:45:19.601Z DEBUG [publisher] pipeline/consumer.go:137 start pipeline event consumer
2020-04-17T08:45:19.601Z INFO [publisher] pipeline/module.go:110 Beat name: xxx
2020-04-17T08:45:19.601Z INFO elasticsearch/client.go:174 Elasticsearch url: https://es.domain.tld:443
2020-04-17T08:45:19.601Z DEBUG [elasticsearch] elasticsearch/client.go:733 ES Ping(url=https://es.domain.tld:443)
2020-04-17T08:46:49.601Z DEBUG [elasticsearch] elasticsearch/client.go:737 Ping request failed with: Get https://es.domain.tld:443: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2020-04-17T08:46:49.601Z ERROR elasticsearch/elasticsearch.go:261 Error connecting to Elasticsearch at https://es.domain.tld:443: Get https://es.domain.tld:443: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
2020-04-17T08:46:49.601Z ERROR instance/beat.go:933 Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://es.domain.tld:443: Get https://es.domain.tld:443: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)]
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://es.domain.tld:443: Get https://es.domain.tld:443: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)]
Thank you in advance for your assistance.