I installed a fleet agent, its state in Kibana is online and its receiving logs over the UDP port configured in an integration.
However I don't see a data stream, looks like it's not sending these logs to elasticsearch, and I'm seeing these logs on the nodes:
[2021-01-15T00:17:16,287][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elastic015] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/xx.xxx.xx.xx:9200, remoteAddress=/xxx.xx.xxx.xxx:56656}
The Elasticsearch URL is set to https://myhost:9200 in Fleet settings, with these additional parameters:
I have used this setting and the enrollment in Kibana was successful. The agent is online.
It's the connection from the agent to elasticsearch that's not working.
I added an integration and the agent is receiving logs on the configured udp socket, but this data is not getting to elasticsearch.
Yes the certificate is self signed, in logstash & beats I use the "cacert" setting to provide the elastic CA certificate, which works fine. I can't find such a setting for the fleet agent configuration.
I enrolled the agent using elastic-agent enroll https://kibana.masked.host djhrSkEzY0feLdgJ2c3FxggTmRfX21GQkhRejpegJ6486eMpgNNLW53dw== -i
I've added an integration and set it to UDP:9503. The agent has received this configuration and is listening on this port:
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
filebeat 47953 root 19u IPv6 4338972 0t0 UDP *:9503
I can see traffic coming in from the appliance to the agent.
I can also see outgoing traffic to the elasticsearch hosts, but on the elastic nodes I see the "received plaintext http traffic on an https channel" warning.
The Barracuda WAF integration.
I don't see the error anymore, and after digging deeper it works fine actually.
The output section contains the correct settings.
I expected this data flow to be visible under Fleet -> data streams, which is empty?
But under index managegement -> data streams, I saw a "logs-barracuda.waf-default", and found that the index it's logging to is a hidden index .ds-logs-barracuda.waf-default-000001.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.