Fleet agent tls settings

gregorys · January 14, 2021, 11:49pm

Hi,

I installed a fleet agent, its state in Kibana is online and its receiving logs over the UDP port configured in an integration.
However I don't see a data stream, looks like it's not sending these logs to elasticsearch, and I'm seeing these logs on the nodes:

[2021-01-15T00:17:16,287][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [elastic015] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/xx.xxx.xx.xx:9200, remoteAddress=/xxx.xx.xxx.xxx:56656}

The Elasticsearch URL is set to https://myhost:9200 in Fleet settings, with these additional parameters:

protocol: "https"
ssl.verification_mode: "none"

stephenb · January 15, 2021, 1:19am

Is this a self Signed Cert if I think you are going to need to use the --insecure setting on the command line see here

gregorys · January 15, 2021, 1:57am

I have used this setting and the enrollment in Kibana was successful. The agent is online.
It's the connection from the agent to elasticsearch that's not working.

I added an integration and the agent is receiving logs on the configured udp socket, but this data is not getting to elasticsearch.

stephenb · January 15, 2021, 1:58am

can you post your whole agent config?

Also is this a self signed cert?

gregorys · January 15, 2021, 11:24am

Yes the certificate is self signed, in logstash & beats I use the "cacert" setting to provide the elastic CA certificate, which works fine. I can't find such a setting for the fleet agent configuration.

I enrolled the agent using elastic-agent enroll https://kibana.masked.host djhrSkEzY0feLdgJ2c3FxggTmRfX21GQkhRejpegJ6486eMpgNNLW53dw== -i

The fleet.yml:

agent:
  id: eb051576-6041-43a8-84b2-85ef06b8f96d
fleet:
  enabled: true
  access_api_key: LTNSUef456E9xSmFzai1TNG13bUe54PGEvwiCGmN4TlhEUQ==
  kibana:
    protocol: https
    host: kibana.masked.host
    hosts:
    - kibana.masked.host
    timeout: 5m0s
    ssl:
      verification_mode: none
      renegotiation: never
  reporting:
    threshold: 10000
    check_frequency_sec: 30
  agent:
    id: ""

I've added an integration and set it to UDP:9503. The agent has received this configuration and is listening on this port:

COMMAND    PID USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
filebeat 47953 root   19u  IPv6 4338972      0t0  UDP *:9503

I can see traffic coming in from the appliance to the agent.
I can also see outgoing traffic to the elasticsearch hosts, but on the elastic nodes I see the "received plaintext http traffic on an https channel" warning.

stephenb · January 16, 2021, 2:01am

Hmmm.... fleet is still early in its lifecycle.... I am not sure what is happening...

Which integration is this? (although I don't think that matters)

you could dig way into the config settings I would be curious what you see.

buried deep there is a file named action_store.yml

something like
/opt/Elastic/Agent/data/elastic-agent-1da173/action_store.yml

There is an outputs section curious what you see there.

gregorys · January 16, 2021, 12:23pm

The Barracuda WAF integration.
I don't see the error anymore, and after digging deeper it works fine actually.
The output section contains the correct settings.

I expected this data flow to be visible under Fleet -> data streams, which is empty?
But under index managegement -> data streams, I saw a "logs-barracuda.waf-default", and found that the index it's logging to is a hidden index .ds-logs-barracuda.waf-default-000001.

So, works fine after all.

stephenb · January 16, 2021, 3:45pm

Good it's working

I would expect it to show in data streams hmmmm

7.10.2 was just released perhaps take a look.

gregorys · January 20, 2021, 12:09pm

Same in 7.10.2

system · February 17, 2021, 12:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.