[HELP][ERROR][FILEBEAT] “cannot retrieve the elasticsearch license from the /_license endpoint”

Vikas_Rathore · June 29, 2020, 2:15pm

I had below filebeat-kubernetes.yaml for my ELK where I was using filebeat v 6.6.2 and AWS Elasticsearch version 6.4. Everything was working fine.

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-config
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  filebeat.yml: |-
    filebeat.inputs:
    - type: container
      paths:
        - /var/log/containers/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/containers/"

    # To enable hints based autodiscover, remove `filebeat.inputs` configuration and uncomment this:
    #filebeat.autodiscover:
    #  providers:
    #    - type: kubernetes
    #      node: ${NODE_NAME}
    #      hints.enabled: true
    #      hints.default_config:
    #        type: container
    #        paths:
    #          - /var/log/containers/*${data.kubernetes.container.id}.log

    processors:
      - add_cloud_metadata:
      - add_host_metadata:

    output.elasticsearch:
      hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: filebeat-inputs
  namespace: kube-system
  labels:
    k8s-app: filebeat
data:
  kubernetes.yml: |-
    - type: docker
      containers.ids:
      - "*"
      processors:
        - add_kubernetes_metadata:
            in_cluster: true
      fields:
        aws_account_id: ${aws_account_id} 
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
spec:
  selector:
    matchLabels:
      k8s-app: filebeat
  template:
    metadata:
      labels:
        k8s-app: filebeat
    spec:
      serviceAccountName: filebeat
      terminationGracePeriodSeconds: 30
      containers:
      - name: filebeat
        image: docker.elastic.co/beats/filebeat:7.8.0
        args: [
          "-c", "/etc/filebeat.yml",
          "-e",
        ]
        env:
        - name: ELASTICSEARCH_HOST
          value: ${elasticsearch_host}
        - name: ELASTICSEARCH_PORT
          value: "443"
        securityContext:
          runAsUser: 0
        resources:
          limits:
            memory: 256Mi
          requests:
            cpu: 100m
            memory: 100Mi
        volumeMounts:
        - name: config
          mountPath: /etc/filebeat.yml
          readOnly: true
          subPath: filebeat.yml
        - name: inputs
          mountPath: /usr/share/filebeat/inputs.d
          readOnly: true
        - name: data
          mountPath: /usr/share/filebeat/data
        - name: varlibdockercontainers
          mountPath: /var/lib/docker/containers
          readOnly: true
      volumes:
      - name: config
        configMap:
          defaultMode: 0600
          name: filebeat-config
      - name: varlibdockercontainers
        hostPath:
          path: /var/lib/docker/containers
      - name: inputs
        configMap:
          defaultMode: 0600
          name: filebeat-inputs
      # We set an `emptyDir` here to ensure the manifest will deploy correctly.
      # It's recommended to change this to a `hostPath` folder, to ensure internal data
      # files survive pod changes (ie: version upgrade)
      - name: data
        emptyDir: {}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: filebeat
subjects:
- kind: ServiceAccount
  name: filebeat
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: filebeat
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: filebeat
  labels:
    k8s-app: filebeat
rules:
- apiGroups: [""] # "" indicates the core API group
  resources:
  - namespaces
  - pods
  verbs:
  - get
  - watch
  - list
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: filebeat
  namespace: kube-system
  labels:
    k8s-app: filebeat
---

But when I am trying to update the version to 7.8.0(also updated the AWS elastic search to 7.4). I started getting an error

Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_license endpoint, Filebeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Filebeat so it can verify the license.: unauthorized access, could not connect to the xpack endpoint, verify your credentials

Someone suggested me to use the latest filebeat-kubernetes.yaml file. https://raw.githubusercontent.com/elastic/beats/7.8/deploy/kubernetes/filebeat-kubernetes.yaml

But I have trouble using it. Didn't find any documentation as well.

How can I get ELASTICSEARCH_USERNAME, ELASTICSEARCH_PASSWORD, ELASTIC_CLOUD_ID, ELASTIC_CLOUD_AUTH? As in AWS I am not getting any username and password.
On older yaml. I am passing " aws_account_id: ${aws_account_id} " in kubernetes.yaml. But I don't see any option in the new format yaml.

Can someone please help me to understand

Christian_Dahlqvist · June 29, 2020, 3:17pm

You need to use the OSS distribution and not the default one if connecting to AWS ES I believe.

Have not used AWS ES so am not sure how you need to configure to connect.

Vikas_Rathore · June 29, 2020, 3:22pm

Yes I am using AWS ES. OSS distribution? Could you please provide me a link or any documentation. From where I can get this info. I am applying this way, using kubeconfig

kubectl apply -f .filebeat-kubernetes.yaml --kubeconfig .kube_config.yaml

Thanks for helping

Christian_Dahlqvist · June 29, 2020, 3:30pm

Use the OSS distribution of Filebeat.

system · July 27, 2020, 3:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.