Fleet agent tls settings

Hi,

I installed a fleet agent, its state in Kibana is online and its receiving logs over the UDP port configured in an integration.
However I don't see a data stream, looks like it's not sending these logs to elasticsearch, and I'm seeing these logs on the nodes:

[2021-01-15T00:17:16,287][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elastic015] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/xx.xxx.xx.xx:9200, remoteAddress=/xxx.xx.xxx.xxx:56656}

The Elasticsearch URL is set to https://myhost:9200 in Fleet settings, with these additional parameters:

protocol: "https"
ssl.verification_mode: "none"

Is this a self Signed Cert if I think you are going to need to use the --insecure setting on the command line see here

I have used this setting and the enrollment in Kibana was successful. The agent is online.
It's the connection from the agent to elasticsearch that's not working.

I added an integration and the agent is receiving logs on the configured udp socket, but this data is not getting to elasticsearch.

can you post your whole agent config?

Also is this a self signed cert?

Yes the certificate is self signed, in logstash & beats I use the "cacert" setting to provide the elastic CA certificate, which works fine. I can't find such a setting for the fleet agent configuration.

I enrolled the agent using elastic-agent enroll https://kibana.masked.host djhrSkEzY0feLdgJ2c3FxggTmRfX21GQkhRejpegJ6486eMpgNNLW53dw== -i

The fleet.yml:

agent:
  id: eb051576-6041-43a8-84b2-85ef06b8f96d
fleet:
  enabled: true
  access_api_key: LTNSUef456E9xSmFzai1TNG13bUe54PGEvwiCGmN4TlhEUQ==
  kibana:
    protocol: https
    host: kibana.masked.host
    hosts:
    - kibana.masked.host
    timeout: 5m0s
    ssl:
      verification_mode: none
      renegotiation: never
  reporting:
    threshold: 10000
    check_frequency_sec: 30
  agent:
    id: ""

I've added an integration and set it to UDP:9503. The agent has received this configuration and is listening on this port:

COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
filebeat 47953 root   19u  IPv6 4338972      0t0  UDP *:9503

I can see traffic coming in from the appliance to the agent.
I can also see outgoing traffic to the elasticsearch hosts, but on the elastic nodes I see the "received plaintext http traffic on an https channel" warning.

Hmmm.... fleet is still early in its lifecycle.... I am not sure what is happening...

Which integration is this? (although I don't think that matters)

you could dig way into the config settings I would be curious what you see.

buried deep there is a file named action_store.yml

something like
/opt/Elastic/Agent/data/elastic-agent-1da173/action_store.yml

There is an outputs section curious what you see there.

The Barracuda WAF integration.
I don't see the error anymore, and after digging deeper it works fine actually.
The output section contains the correct settings.

I expected this data flow to be visible under Fleet -> data streams, which is empty?
But under index managegement -> data streams, I saw a "logs-barracuda.waf-default", and found that the index it's logging to is a hidden index .ds-logs-barracuda.waf-default-000001.

So, works fine after all.

Good it's working

I would expect it to show in data streams hmmmm

7.10.2 was just released perhaps take a look.

Same in 7.10.2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.