Metricbeat Configuration on eck

emmanuel_stevens_LED · October 22, 2022, 6:14pm

Hello,

I am trying to send data from a container ubuntu to eck. Below you can see my configuration

output.elasticsearch:

Array of hosts to connect to.

hosts: ["https://elasticsearch-es-internal-http:9200"]

Protocol - either http (default) or https.

protocol: "https"

Authentication credentials - either API key or username/password.

#api_key: "id:api_key"
username: "elastic"
password: "eraseforobviousreason"
ssl:
enabled: true
ssl.certificate_authorities: ["/etc/certificates/ca.crt"]

I create the ubuntu containe with the yaml

apiVersion: v1
kind: Pod
metadata:
labels:
app: test
name: test
spec:
containers:

image: ubuntu:latest
command: ["/bin/sleep", "3650d"]
name: logstash
ports:

containerPort: 9200

containerPort: 5044
env:

name: ES_HOSTS
value: "https://elasticsearch-es-http:9200"

name: ES_USER
value: "elastic"

name: ES_PASSWORD
valueFrom:
secretKeyRef:
name: elasticsearch-es-elastic-user
key: elastic
resources: {}
volumeMounts:

name: cert-ca
mountPath: "/etc/lcertificates"
readOnly: true
restartPolicy: OnFailure
volumes:

name: cert-ca
secret:
secretName: elasticsearch-es-http-certs-public

status: {}

i try to run the command
metricbeat setup -e and i got an error saying they do not regognize the certificate.

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://elasticsearch-es-http:9200: Get "https://elasticsearch-es-http:9200": x509: certificate signed by unknown authority]

Can you help me please

PS: the same certificate send data from logstash to eck but do not get the grafic. i have to send directly to eck before running with logstash. that is why i am doing this

AndersonQ · October 24, 2022, 2:43pm

Hello @emmanuel_stevens_LED,

I'm assuming you're running metricbeat manually, not using it under the Elastic Agent. If it isn't the case, please let me know.
More specifically, my current understanding of your setup is:

metricbeat > elasticsearch

and once it works, you want to have:

metricbeat > logstash > elasticsearch

Again, If I didn't understand correctly, please let me know.

The "x509: certificate signed by unknown authority" happens because the certificate is self-generated and metricbeat is neither configured to accept unknown certificates nor its certificate authorities includes the one for the SSL certificate it read.

From this limited snipped I believe the certificate store isn't quite right configured. In order to diagnose that I'd recommend to disable the SSL verification by setting verification-mode to none. If it works, then we'll know it's jut about getting metricbeat to correctly load the certificates.

Also, if you could provide the "full" yaml file, of course redacting the secrets and using a code block ("preformated text") to post it. You can use 3 back quotes (```) to open and close a code block. This way you posted seems to be rendered as markdonw , not the best to check the ymal.

This docs might help you. Also, could you say which metribeat and Elasticsearch version you're using?

emmanuel_stevens_LED · October 24, 2022, 7:56pm

Hello @AndersonQ ,

I would like to emphasize that i can send data to eck from logstash using the same certificate.

kind: ConfigMap
metadata:
  name: logstash-configmap
data:
  logstash.yml: |
    http.host: "0.0.0.0"
    path.config: /usr/share/logstash/pipeline
  logstash.conf: |

    input {
        kafka{
       bootstrap_servers => ["REMOVE FOR OBVIOUSREASON:9092"]
       group_id => "logstash-array"
       topics => ["troll-metrics"]
    }
    }

    output {
      elasticsearch {
        index => "metrics-copy"
        hosts => [ "${ES_HOSTS}" ]
        user => "${ES_USER}"
        password => "${ES_PASSWORD}"
        cacert => '/etc/logstash/certificates/ca.crt'
      }

      stdout {}


    }

This is the yml i use for my ubuntu container

kind: Pod
metadata:
  labels:
    app: ubuntu-metricbeat
  name: ubuntu-metricbeat
  namespace: elastic-monitoring

spec:
  containers:
  - image: ubuntu:latest
    name: ubuntu-metricbeat
    command: ["/bin/sleep", "3650d"]
    imagePullPolicy: IfNotPresent
    ports:
    - containerPort: 9092
    - containerPort: 5044
    env:
    - name: ES_HOSTS
      value: "remove for obvious reson:9200"
    - name: ES_USER
      value: "elastic"
    - name: ES_PASSWORD
      valueFrom:
        secretKeyRef:
          name: elasticsearch-es-elastic-user
          key: elastic
    resources: {}
    volumeMounts:

    - name: cert-ca
      mountPath: "/etc/"
      readOnly: true
  restartPolicy: OnFailure
  volumes:

  - name: cert-ca
    secret:
      secretName: elasticsearch-es-http-certs-public

This is from that container i want to send data from metricbeat.
I want to remoive the index and send the dta from metricbeat so it can create de dashborads and after i can send data from logstash and still have the dashborad. Normally the same certificate have to work, i have done the same thing with my elk cluster on vms. For an obscure reason, it doeasn t work now

I use the internal certificate provide by eck

stephenb · October 24, 2022, 11:26pm

Typo?... Extra l

lcertificates

emmanuel_stevens_LED · October 24, 2022, 11:53pm

This is an extra l @stephenb
I put the correct yml after. Sorry for the typo. i change the configuration many times. Was testing alot. the last yml are tho good one

emmanuel_stevens_LED · October 25, 2022, 12:04am

#  hosts:
#  - https://elasticsearch-es-http:9200
 
#  ssl:
#    certificateAuthorities: /etc/logstash/certificates/tls.crt
#    verificationMode: certificate



  # Array of hosts to connect to.
  hosts: ["https://elasticsearch-es-internal-http:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  username: "elastic"
  password: "obvious reson"
  ssl:
     enabled: true
     ssl.certificate_authorities: ["/etc/ca.crt"]

# ```)

stephenb · October 25, 2022, 3:59pm

Hi @emmanuel_stevens_LED

That is not correct you have ssl. in both levels

Should be

  ssl:
     enabled: true
     certificate_authorities: ["/etc/ca.crt"]

or

  ssl:
     enabled: true
     verification_mode: none

emmanuel_stevens_LED · October 25, 2022, 5:31pm

Thank you guys. Now my dashbord is awesome. @stephenb @AndersonQ . You help me alot. I ginna activate my llicense tonight. really nice product and amazing support from you

system · November 22, 2022, 7:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Metricbeat Configuration on eck

Array of hosts to connect to.

Protocol - either http (default) or https.

Authentication credentials - either API key or username/password.

Protocol - either `http` (default) or `https`.