We are rolling out a cluster with security high on the list of targets - so using SSL, authentication etc
In our filebeat.yml, we have
output.elasticsearch.username = "${ES_USER}"
output.elasticsearch.password = "${ES_PASS}"
and we have stored the relevant data in the filebeat keystore.
when we run systemctl start filebeat, we get an error
instance/beat.go:877 - Exiting: error initializing publisher: missing field accessing 'output.elasticsearch.username' (source:'/etc/filebeat/filebeat.yml')
but if we run the start command manually, it works....
So we are deducing that systemd is doing something with these variables before filebeat gets a look in.
We have tried quoting - single and double - / escaping but it still fails.
Any ideas?
I have entered the values into the yaml file and it works as expected but then that exposes the username and the password to prying eyes so not good.