Issue connecting to Elastic from Metricbeat

Elastic Stack Beats
1

I am getting following error , when i tried to connect to elastic (which is in another server) from metricbeat server. What could be the issue ? Can you guys help on it . Thanks in Advance

PS C:\ELK_PROD\Metricbeat> .\metricbeat test output
elasticsearch: https://AOSMonitor.degag.corpintra.net:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 53.36.18.220
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR Get "https://AOSMonitor.degag.corpintra.net:9200": Forbidden

2

Hmmm. Guessing from the output, it looks like the basics (name resolution of AOSMonitor using DNS) is working, which makes me suspect a firewall or proxy server somewhere not allowing you through. You could use your local web browser to try to connect to the Elasticsearch server with HTTPS, but make sure to try it with and without a proxy configuration in the browser, but I really prefer a command line tool for that kind of testing. Do PowerShell come with something that will talk HTTPS? Some type of GetUsingUrl command? If not, install some MinGW tools like curl and wget and thank me later. Cygwin will also do, but might be overkill.

3

Thanks for the reply..
I tried from local browser with and without proxy , i could able to open the elasticsearch server .. Still not sure why the test output is giving Forbidden

On to it , Ping is working to the AOSMonitor.degag.corpintra.net from metricbeat server

Telnet is working [AOSMonitor.degag.corpintra.net:9200] from metricbeat server .

tracert is getting resolved within 2 hops.

What other reason it could be for the reason for forbidden

4

From Browser i could able to connect to Elasticsearch with or without proxy , not sure why i am not able to connect from metric beat .. Test output is giving forbidden error..

5

HTTPS is using TCP (Transport Control Protocol?) as its underlying protocol. Ping is using something entirely different, something called ICMP - Internet Control Message Protocol, and firewalls and routers are usually a bit more relaxed about letting ICMP packet through. But it is good that ping'ing works because it proves (again) that DNS is working and that basic IP routing is working.

Telnet is also using TCP so that is a bit confusing that it works, but not the 'test output' checks. I assume you got (encrypted) garbage when you connected to the Elasticsearch server on port 9200 ? If it was encrypted garbage that is also good, because that shows that you have (as the 'test output' shows) encryption with SSL and/or TLS set up.

You might want to see if you have openssl installed. It can be used like Telnet to talk TCP, but it also under SSL/TLS encryption. Something like openssl s_client -connect AOSMonitor.degag.corpintra.net:9200 should give you non-garbage.

Ohh - I see you are refering to tracert meaning that you are probably on a Windows machine. Then I am afraid that openssl is not an option.

Are you allowed to disable SSL encryption on the Elasticsearch server? That would be a small step forward if you could disable SSL on both the Elasticsearch server and on the Metricbeat client, and see if that made the test output succeed.

6

Hi @SANTHOSH_R Welcome to the community!

Forbidden typically means Authentication/ Authorization issue... I.e
username / password or API Key issue.

What form of authentication are you using?

Can you curl elasticsearch with the exact same credentials from the metricbeat host?

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.