How can FileBeat access Kibana over SSL?

houmie · November 23, 2020, 11:49pm

Hello,

filebeat.inputs:
- type: log
  paths:
    - /var/log/app-uwsgi/app.json
  json.keys_under_root: true
  json.add_error_key: true
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: true
  reload.period: 10s
setup.template.settings:
  index.number_of_shards: 1
setup.kibana:
  host: "api-s2.domain.net:5505"
  protocol: "https"
  ssl.enabled: true
  #ssl.verification_mode: none
output.elasticsearch:
  hosts: ["t1.domain.net:9102"]
  protocol: "https"
  username: "elastic"
  password: "xxxx"
  ssl.certificate_authorities:
    - /etc/filebeat/certs/ca.crt
processors:
  - drop_fields:
      fields: ["agent", "log", "input", "ecs"]
      ignore_missing: false

I have a certificate obtained from Let'sEncrypt for my Kibana setup. So it's fully CA certified.
But when I run filebeat setup I get this:

error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://api-s2.domain.net:~~5505~~/api/status fails: fail to execute the HTTP GET request: Get "https://api-s2.domain.net:~~5505~~/api/status": x509: certificate signed by unknown authority. Response:

I could add ssl.verification_mode: none , but isn't that a security risk?

I prefer using the Let'sEncrypt SSL for Kibana instead of creating my own certificate through elasticsearch-certutil cert --keep-ca-key --pem .

The reason is that I would like to access my Kibana from anywhere from a browser. And for that to work I need CAs like lets encrypt, godaddy etc that are trusted by the browsers.

Certs created by elasticsearch-certutil are not recognised by browsers.

Any advise please? Thank you

shaunak · November 24, 2020, 12:56am

Are you able to successfully curl https://api-s2.domain.net:5505/api/status from the Filebeat host? If so, can you share the exact curl command that worked?

Thanks,

Shaunak

houmie · November 24, 2020, 7:32am

No, I'm not able to do this successfully. I get the error:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

houmie · November 25, 2020, 7:17am

Hi Elastic Support Team,

Is there any logs I should provide or any other information you need?

Thank you

houmie · November 26, 2020, 1:47pm

Hi @shaunak,

I'm currently analysing the ELK stack (minus Logstash Plus FileBeat) to see if we could utilise this for our business. If FileBeats can't reach the central server over SSL as demonstrated, this is a security concern for us and we have to look for a different solution.

Before I move on too quickly, I would like know if this a bug that can be fixed by ticketing or not? A reply would be much appreciated.

Thanks

shaunak · November 30, 2020, 3:00am

The fact that you aren't able to connect to Kibana with curl indicates that this isn't so much a Filebeat issue. I would suggest trying different options for the curl command until you can successfully connect to Kibana. Once you have a working curl command, please post it here and we can provide the corresponding Filebeat settings.

shaunak · November 30, 2020, 3:03am

Also, please note that these are community forums, not Elastic Support. We do our best to provide help here but there are no SLAs as such. If you are interested in Elastic Support (that comes with well-defined SLAs), you can find more information here: https://www.elastic.co/services/

Shaunak

system · December 28, 2020, 5:03am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.