Looking for help enabling Metricbeat

Hello,

I have a single node deploy of Elasticsearch Enterprise Search and Kibana all on version 8.6.2. In this node I enabled self-monitoring with xpack, but am trying to switch to using Metricbeat.

While in 'Stack monitoring' > Clusters > elasticsearch > Nodes - 'setup mode' in the UI I followed those quick start steps but am encountering errors trying to start metricbeat.

Below are some relevant configs

elasticsearch.yml

path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["elastic"]
http.host: 0.0.0.0

metricbeat export config

metricbeat:
  config:
    modules:
      path: /etc/metricbeat/modules.d/*.yml
      reload:
        enabled: false
output:
  elasticsearch:
    hosts:
    - http://localhost:9200
    password: [redacted]
    username: elastic
path:
  config: /etc/metricbeat
  data: /var/lib/metricbeat
  home: /usr/share/metricbeat
  logs: /var/log/metricbeat
processors:
- add_host_metadata: null
setup:
  template:
    settings:
      index:
        codec: best_compression
        number_of_shards: 1

ls -l /etc/metricbeat/modules.d/ | grep elasticsearch
-rw-r--r--. 1 root root  295 May 16 07:23 elasticsearch.yml

I moved the elasticsearch-xpack.yml file in attempts to try and potentially quiet any noise, but to no avail.

These are the errors and it does not populate in the Kibana monitoring UI:

journalctl -u metricbeat -f
-- Logs begin at Mon 2023-05-15 12:41:42 CDT. --
May 16 08:04:10 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:10.955-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node: error making http request: Get \"http://localhost:9200/_nodes/_local\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:13 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:13.552-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get \"http://localhost:9200\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:13 elastic metricbeat[23846]: {"log.level":"info","@timestamp":"2023-05-16T08:04:13.552-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":141},"message":"Attempting to reconnect to backoff(elasticsearch(http://localhost:9200)) with 3 reconnect attempt(s)","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:20 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:20.954-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node_stats: error making http request: Get \"http://localhost:9200/_nodes/_local/stats\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:20 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:20.954-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node: error making http request: Get \"http://localhost:9200/_nodes/_local\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:27 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:27.923-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(http://localhost:9200)): Get \"http://localhost:9200\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:27 elastic metricbeat[23846]: {"log.level":"info","@timestamp":"2023-05-16T08:04:27.923-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":141},"message":"Attempting to reconnect to backoff(elasticsearch(http://localhost:9200)) with 4 reconnect attempt(s)","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:30 elastic metricbeat[23846]: {"log.level":"info","@timestamp":"2023-05-16T08:04:30.936-0500","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000}},"id":"metricbeat.service"},"cpuacct":{"id":"metricbeat.service","total":{"ns":290893188}},"memory":{"id":"metricbeat.service","mem":{"limit":{"bytes":9223372036854771712},"usage":{"bytes":46444544}}}},"cpu":{"system":{"ticks":130,"time":{"ms":130}},"total":{"ticks":280,"time":{"ms":280},"value":280},"user":{"ticks":150,"time":{"ms":150}}},"handles":{"limit":{"hard":262144,"soft":1024},"open":12},"info":{"ephemeral_id":"dccb5f83-6558-4cf3-aca7-c38cad78c921","name":"metricbeat","uptime":{"ms":30068},"version":"8.6.2"},"memstats":{"gc_next":25042072,"memory_alloc":13672288,"memory_sys":37831688,"memory_total":65798752,"rss":141361152},"runtime":{"goroutines":62}},"libbeat":{"config":{"module":{"running":4,"starts":4},"reloads":1,"scans":1},"output":{"events":{"active":0},"type":"elasticsearch","write":{"bytes":1555}},"pipeline":{"clients":12,"events":{"active":55,"published":55,"retry":92,"total":55},"queue":{"max_events":4096}}},"metricbeat":{"elasticsearch":{"node":{"events":3,"failures":3},"node_stats":{"events":3,"failures":3}},"system":{"cpu":{"events":4,"success":4},"filesystem":{"events":2,"success":2},"fsstat":{"events":1,"success":1},"load":{"events":3,"success":3},"memory":{"events":3,"success":3},"network":{"events":8,"success":8},"process":{"events":22,"success":22},"process_summary":{"events":3,"success":3},"socket_summary":{"events":3,"success":3},"uptime":{"events":1,"success":1}}},"system":{"cpu":{"cores":2},"load":{"1":0.44,"15":0.24,"5":0.34,"norm":{"1":0.22,"15":0.12,"5":0.17}}}},"ecs.version":"1.6.0"}}
May 16 08:04:30 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:30.955-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node_stats: error making http request: Get \"http://localhost:9200/_nodes/_local/stats\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:30 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:30.956-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node: error making http request: Get \"http://localhost:9200/_nodes/_local\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:40 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:40.955-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node_stats: error making http request: Get \"http://localhost:9200/_nodes/_local/stats\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:04:40 elastic metricbeat[23846]: {"log.level":"error","@timestamp":"2023-05-16T08:04:40.956-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node: error making http request: Get \"http://localhost:9200/_nodes/_local\": EOF","service.name":"metricbeat","ecs.version":"1.6.0"}

Need another pair of eyes!

A little more info.

If I browse the https://[ip addr]:9200 URL and login with the elastic username/pass it returns this

{
  "name" : "elastic",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "ddwf-yyrRuGqgGP8eiHGZw",
  "version" : {
    "number" : "8.6.2",
    "build_flavor" : "default",
    "build_type" : "rpm",
    "build_hash" : "2d58d0f136141f03239816a4e360a8d17b6d8f29",
    "build_date" : "2023-02-13T09:35:20.314882762Z",
    "build_snapshot" : false,
    "lucene_version" : "9.4.2",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

After changing any host entries to HTTPS from HTTP, the logs now show this:

May 16 08:54:47 elastic metricbeat[24255]: {"log.level":"error","@timestamp":"2023-05-16T08:54:47.510-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":150},"message":"Failed to connect to backoff(elasticsearch(https://localhost:9200)): Get \"https://localhost:9200\": x509: certificate signed by unknown authority","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:54:47 elastic metricbeat[24255]: {"log.level":"info","@timestamp":"2023-05-16T08:54:47.510-0500","log.logger":"publisher_pipeline_output","log.origin":{"file.name":"pipeline/client_worker.go","file.line":141},"message":"Attempting to reconnect to backoff(elasticsearch(https://localhost:9200)) with 4 reconnect attempt(s)","service.name":"metricbeat","ecs.version":"1.6.0"}
May 16 08:54:47 elastic metricbeat[24255]: {"log.level":"error","@timestamp":"2023-05-16T08:54:47.523-0500","log.logger":"esclientleg","log.origin":{"file.name":"transport/logging.go","file.line":38},"message":"Error dialing x509: certificate signed by unknown authority","service.name":"metricbeat","network":"tcp","address":"localhost:9200","ecs.version":"1.6.0"}
May 16 08:54:55 elastic metricbeat[24255]: {"log.level":"info","@timestamp":"2023-05-16T08:54:55.884-0500","log.logger":"monitoring","log.origin":{"file.name":"log/log.go","file.line":187},"message":"Non-zero metrics in the last 30s","service.name":"metricbeat","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000}},"id":"metricbeat.service"},"cpuacct":{"id":"metricbeat.service","total":{"ns":286170954}},"memory":{"id":"metricbeat.service","mem":{"limit":{"bytes":9223372036854771712},"usage":{"bytes":48017408}}}},"cpu":{"system":{"ticks":120,"time":{"ms":120}},"total":{"ticks":280,"time":{"ms":280},"value":280},"user":{"ticks":160,"time":{"ms":160}}},"handles":{"limit":{"hard":262144,"soft":1024},"open":10},"info":{"ephemeral_id":"aea6069d-3e7c-4ce0-82a8-edc907be41c6","name":"metricbeat","uptime":{"ms":30064},"version":"8.6.2"},"memstats":{"gc_next":24843944,"memory_alloc":14888192,"memory_sys":37831688,"memory_total":72226920,"rss":143556608},"runtime":{"goroutines":62}},"libbeat":{"config":{"module":{"running":4,"starts":4},"reloads":1,"scans":1},"output":{"events":{"active":0},"type":"elasticsearch"},"pipeline":{"clients":12,"events":{"active":55,"published":55,"retry":92,"total":55},"queue":{"max_events":4096}}},"metricbeat":{"elasticsearch":{"node":{"events":3,"failures":3},"node_stats":{"events":3,"failures":3}},"system":{"cpu":{"events":3,"success":3},"filesystem":{"events":2,"success":2},"fsstat":{"events":1,"success":1},"load":{"events":3,"success":3},"memory":{"events":3,"success":3},"network":{"events":8,"success":8},"process":{"events":22,"success":22},"process_summary":{"events":3,"success":3},"socket_summary":{"events":3,"success":3},"uptime":{"events":1,"success":1}}},"system":{"cpu":{"cores":2},"load":{"1":0.2,"15":0.22,"5":0.2,"norm":{"1":0.1,"15":0.11,"5":0.1}}}},"ecs.version":"1.6.0"}}
May 16 08:54:55 elastic metricbeat[24255]: {"log.level":"error","@timestamp":"2023-05-16T08:54:55.939-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.node_stats: error making http request: Get \"https://192.168.1.34:9200/_nodes/_local/stats\": x509: certificate signed by unknown authority","service.name":"metricbeat","ecs.version":"1.6.0"}

metricbeat test output
elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: ::1, 127.0.0.1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.6.2

This looks similar to this thread. Do you need to add the path to your certificates authorities?

Hi, Carly. Thanks for the response.

I'm using a single node deploy and runinng with the autogenerated certificates for Elasticsearch. That is providing the following in the /etc/elasticsearch/certs/ directory

-rw-rw----. 1 root elasticsearch  1915 May 15 13:50 http_ca.crt
-rw-rw----. 1 root elasticsearch 10029 May 15 13:50 http.p12
-rw-rw----. 1 root elasticsearch  5822 May 15 13:50 transport.p12

There is a CA in the http.p12, but that is not a preferred format for metricbeat, it appears?

May 17 07:20:07 elastic metricbeat[1564]: {"log.level":"warn","@timestamp":"2023-05-17T07:20:07.231-0500","log.logger":"cfgwarn","log.origin":{"file.name":"tlscommon/config.go","file.line":102},"message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0","service.name":"metricbeat","ecs.version":"1.6.0"}
May 17 07:20:07 elastic metricbeat[1564]: {"log.level":"error","@timestamp":"2023-05-17T07:20:07.231-0500","log.logger":"tls","log.origin":{"file.name":"tlscommon/tls.go","file.line":175},"message":"Failed to add CA to the cert pool, CA is not a valid PEM document","service.name":"metricbeat","ecs.version":"1.6.0"}
May 17 07:20:07 elastic metricbeat[1564]: {"log.level":"info","@timestamp":"2023-05-17T07:20:07.232-0500","log.origin":{"file.name":"instance/beat.go","file.line":442},"message":"metricbeat stopped.","service.name":"metricbeat","ecs.version":"1.6.0"}
May 17 07:20:07 elastic metricbeat[1564]: {"log.level":"error","@timestamp":"2023-05-17T07:20:07.232-0500","log.origin":{"file.name":"instance/beat.go","file.line":1071},"message":"Exiting: error initializing publisher: 1 error: file is not a certificate adding /etc/elasticsearch/certs/http.p12 to the list of known CAs accessing 'output.elasticsearch' (source:'/etc/metricbeat/metricbeat.yml')","service.name":"metricbeat","ecs.version":"1.6.0"}
May 17 07:20:07 elastic metricbeat[1564]: Exiting: error initializing publisher: 1 error: file is not a certificate adding /etc/elasticsearch/certs/http.p12 to the list of known CAs accessing 'output.elasticsearch' (source:'/etc/metricbeat/metricbeat.yml')

So I tried copying the http_ca.crt above to .pem and referenced it in the metricbeat config, restarted the service, but still its not liking it for some reason.

May 17 07:37:50 elastic metricbeat[1659]: {"log.level":"error","@timestamp":"2023-05-17T07:37:50.472-0500","log.origin":{"file.name":"module/wrapper.go","file.line":256},"message":"Error fetching data for metricset elasticsearch.index: error determining if connected Elasticsearch node is master: error making http request: Get \"https://192.168.1.34:9200/_nodes/_local/nodes\": x509: certificate signed by unknown authority","service.name":"metricbeat","ecs.version":"1.6.0"}

And here is the metricbeat config now showing I'm trying to use the preconfigured CA. I'm definately confused as to what is required to get metricbeat to connect to the running, same server within elasticsearch node.

metricbeat export config
metricbeat:
  config:
    modules:
      path: /etc/metricbeat/modules.d/*.yml
      reload:
        enabled: false
output:
  elasticsearch:
    hosts:
    - https://localhost:9200
    password: [redacted]
    ssl:
      certificate_authorities:
      - /etc/elasticsearch/certs/http_ca.pem
      verification_mode: none
    username: elastic
path:
  config: /etc/metricbeat
  data: /var/lib/metricbeat
  home: /usr/share/metricbeat
  logs: /var/log/metricbeat
processors:
- add_host_metadata: null
setup:
  kibana:
    host: localhost:5601
  template:
    settings:
      index:
        codec: best_compression
        number_of_shards: 1

elasticsearch 10029 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns )

I got things working with the following configs, but I don't recall the 'Stack monitoring' UI quick start mention this, nor the metricbeat quickstart docs.

It was mostly me finding other, similar community posts and pieced them together.

Put in the following for the root metricbeat.yml config:

setup.kibana:
  host: "https://elastic:5601"

output.elasticsearch:
  hosts: ["https://localhost:9200"]
username: "elastic"
password: "[redacted]"
  ssl:
    enabled: true
    certificate_authorities: "/etc/elasticsearch/certs/http_ca.crt"

Enable the proper modules

metricbeat modules enable kibana kibana-xpack elasticsearch elasticsearch-xpack

Edit the module files:

	vim elasticsearch.yml
	- module: elasticsearch
	  metricsets:
	    - node
	    - node_stats
	  period: 10s
	  hosts: ["https://localhost:9200"]
	  ssl.certificate_authorities: ["/etc/elasticsearch/certs/http_ca.crt"]
	  username: "elastic"
	  password: "[redacted]"
	
	vim elasticsearch-xpack.yml
	- module: elasticsearch
	  xpack.enabled: true
	  period: 10s
	  hosts: ["https://localhost:9200"]
	  ssl.certificate_authorities: ["/etc/elasticsearch/certs/http_ca.crt"]
	  username: "elastic"
	  password: "[redacted]"
	
	vim kibana.yml
	- module: kibana
	  metricsets:
	    - status
	  period: 10s
	  hosts: ["https://elastic:5601"]
	  ssl.certificate_authorities: ["/etc/kibana/kibana.crt"]
	  #basepath: ""
	  username: "elastic"
	  password: "[redacted]"
	
	vim kibana-xpack.yml
	- module: kibana
	  xpack.enabled: true
	  period: 10s
	  hosts: ["https://elastic:5601"]
	  ssl.certificate_authorities: ["/etc/kibana/kibana.crt"]
	  #basepath: ""
	  username: "elastic"
      password: "[redacted]"

Then starting the systemd service and watching syslog for any fails that may need to be addressed.
systemctl start metricbeat && tail -f /var/log/messages

Once things started to look good, logged into the UI and made sure the former xpack self-monitor was migrated and metricbeat was showing to be monitoring now.

The next thing to try is what happens when replacing the autogenerated Elasticsearch transport and http certs...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.