Licence check is making the auditbeat connection fail with AWS elasticsearch

I am using auditbeat version 7.5.2 and AWS opensearch based elasticsearch engine version 7.10.2
The connection to the elasticsearch is breaking with the following error:

connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license from the /_xpack endpoint, Auditbeat requires the default distribution of Elasticsearch. Please make the endpoint accessible to Auditbeat so it can verify the license.: unauthorized access, could not connect to the xpack endpoint, verify your credentials

I checked the endpoint, AWS doesn't allow that endpoint:

"Message": "Your request: '/_xpack' is not allowed."

I found that the licence check has been mendatory from beat version 7.13.*.
Why is this error happening with older version?

OpenSearch/OpenDistro are AWS run products and differ from the original Elasticsearch and Kibana products that Elastic builds and maintains. You may need to contact them directly for further assistance.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

Welcome to our community! :smiley:

Can you please confirm the version of Auditbeat you have installed, it'd be good if you could show the output of auditbeat version.

Its a Kubernetes-based deployment, here is some part of the log lines when the beat starts:

[root@Host auditbeat]# auditbeat version
auditbeat version 7.5.2 (amd64), libbeat 7.5.2 [a9c141434cd6b25d7a74a9c770be6b70643dc767 built 2020-01-15 11:10:32 +0000 UTC]
[root@Host auditbeat]#

Please don't post pictures of text, logs or code. They are difficult to read, impossible to search and replicate (if it's code), and some people may not be even able to see them :slight_smile:

What modules do you have enabled... there are some auditbeat modules that fall under the old x-pack licensing...

Example System Module | Auditbeat Reference [7.5] | Elastic

So if you want to use Audibeat with AWS ES ... AKA Open Search you would need to use Auditbeat OSS if it will work at all

see here for downloads

1 Like

Yes, using Auditbeat-oss made it work. I used this image: beats/auditbeat-oss:7.10.2 | Docker @ Elastic

thanks for the help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.