MetricBeat Setup

Ted0011 · January 19, 2024, 10:42am

I am trying to configure my metricbeat on my elasticsearch but I am getting the following error message.

"/metricbeat-7.17.16-linux-x86_64] Data path: [/root/metricbeat-7.17.16-linux-x86_64/data] Logs path: [/root/metricbeat-7.17.16-linux-x86_64/logs] Hostfs Path: [/]
2024-01-19T16:23:54.587+0545 INFO instance/beat.go:706 Beat ID: f3d85e71-e92f-4302-a199-c9f0cf6aac66
2024-01-19T16:23:57.590+0545 WARN [add_cloud_metadata] add_cloud_metadata/provider_aws_ec2.go:79 read token request for getting IMDSv2 token returns empty: Put "http://169.254.169.254/latest/api/token": context deadline exceeded (Client.Timeout exceeded while awaiting headers). No token in the metadata request will be used.
2024-01-19T16:23:57.591+0545 INFO [beat] instance/beat.go:1052 Beat info {"system_info": {"beat": {"path": {"config": "/root/metricbeat-7.17.16-linux-x86_64", "data": "/root/metricbeat-7.17.16-linux-x86_64/data", "home": "/root/metricbeat-7.17.16-linux-x86_64", "logs": "/root/metricbeat-7.17.16-linux-x86_64/logs"}, "type": "metricbeat", "uuid": "f3d85e71-e92f-4302-a199-c9f0cf6aac66"}}}
2024-01-19T16:23:57.591+0545 INFO [beat] instance/beat.go:1061 Build info {"system_info": {"build": {"commit": "1490a760f9443652fbb7ce25ea8487be8acd03d9", "libbeat": "7.17.16", "time": "2023-12-07T19:05:58.000Z", "version": "7.17.16"}}}
2024-01-19T16:23:57.591+0545 INFO [beat] instance/beat.go:1064 Go runtime info {"system_info": {"go": {"os":"linux","arch":"amd64","max_procs":4,"version":"go1.20.11"}}}
2024-01-19T16:23:57.591+0545 INFO [beat] instance/beat.go:1070 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2024-01-18T13:03:00+05:45","containerized":false,"name":"wazuh","ip":["127.0.0.1","::1","192.168.88.248","fe80::c851:f5ff:fe21:618c"],"kernel_version":"5.4.0-169-generic","mac":["ca:51:f5:21:61:8c"],"os":{"type":"linux","family":"debian","platform":"ubuntu","name":"Ubuntu","version":"20.04.6 LTS (Focal Fossa)","major":20,"minor":4,"patch":6,"codename":"focal"},"timezone":"+0545","timezone_offset_sec":20700,"id":"c8ee876c7bc04cf59bbed51f95caf911"}}}
2024-01-19T16:23:57.592+0545 INFO [beat] instance/beat.go:1099 Process info {"system_info": {"process": {"capabilities": {"inheritable":null,"permitted":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"effective":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"bounding":["chown","dac_override","dac_read_search","fowner","fsetid","kill","setgid","setuid","setpcap","linux_immutable","net_bind_service","net_broadcast","net_admin","net_raw","ipc_lock","ipc_owner","sys_module","sys_rawio","sys_chroot","sys_ptrace","sys_pacct","sys_admin","sys_boot","sys_nice","sys_resource","sys_time","sys_tty_config","mknod","lease","audit_write","audit_control","setfcap","mac_override","mac_admin","syslog","wake_alarm","block_suspend","audit_read"],"ambient":null}, "cwd": "/root/metricbeat-7.17.16-linux-x86_64", "exe": "/root/metricbeat-7.17.16-linux-x86_64/metricbeat", "name": "metricbeat", "pid": 87393, "ppid": 87184, "seccomp": {"mode":"disabled","no_new_privs":false}, "start_time": "2024-01-19T16:23:53.570+0545"}}}
2024-01-19T16:23:57.592+0545 INFO instance/beat.go:292 Setup Beat: metricbeat; Version: 7.17.16
2024-01-19T16:23:57.592+0545 INFO [index-management] idxmgmt/std.go:184 Set output.elasticsearch.index to 'metricbeat-7.17.16' as ILM is enabled.
2024-01-19T16:23:57.592+0545 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://192.168.88.248:9200
2024-01-19T16:23:57.593+0545 INFO [publisher] pipeline/module.go:113 Beat name: wazuh
2024-01-19T16:23:57.611+0545 INFO [esclientleg] eslegclient/connection.go:105 elasticsearch url: https://192.168.88.248:9200
2024-01-19T16:23:57.627+0545 ERROR [esclientleg] transport/logging.go:37 Error dialing x509: certificate signed by unknown authority {"network": "tcp", "address": "192.168.88.248:9200"}
2024-01-19T16:23:57.628+0545 ERROR [esclientleg] eslegclient/connection.go:232 error connecting to Elasticsearch at https://192.168.88.248:9200: Get "https://192.168.88.248:9200": x509: certificate signed by unknown authority
2024-01-19T16:23:57.628+0545 ERROR instance/beat.go:1027 Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.88.248:9200: Get "https://192.168.88.248:9200": x509: certificate signed by unknown authority]
Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.88.248:9200: Get "https://192.168.88.248:9200": x509: certificate signed by unknown authority]"

stephenb · January 19, 2024, 2:54pm

Hi @Ted0011

how did you install elasticsearch and version?
Please share your filebeat.yml

Please format your code.

Your error is a common SSL error between metricbeat and Elasticsearch

Ted0011 · January 22, 2024, 5:18am

I installed elasticsearch using wazuh documentation for all-in-one deployment...

I have encountered another error....

'''
Loading dashboards (Kibana must be running and reachable)
2024-01-22T10:59:54.300+0545 INFO kibana/client.go:180 Kibana url: http://localhost:5601
2024-01-22T10:59:54.302+0545 ERROR instance/beat.go:1027 Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": EOF. Response: .
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to http://localhost:5601/api/status fails: fail to execute the HTTP GET request: Get "http://localhost:5601/api/status": EOF. Response: .
'''

I checked the kibana.yml but I have not specified localhost anywhere how can I solve this issue

Ted0011 · January 22, 2024, 5:20am

Here is filebeat.yml file...

</># Wazuh - Filebeat configuration file

output.elasticsearch.hosts: ["192.168.88.248:9200"]
output.elasticsearch.password: Pr@kr1t1@098

filebeat.modules:
  - module: wazuh
    alerts:
      enabled: true
    archives:
      enabled: false

setup.template.json.enabled: true
setup.template.json.path: /etc/filebeat/wazuh-template.json
setup.template.json.name: wazuh
setup.template.overwrite: true
setup.ilm.enabled: false

output.elasticsearch.protocol: https
output.elasticsearch.ssl.certificate: /etc/elasticsearch/certs/elasticsearch.crt
output.elasticsearch.ssl.key: /etc/elasticsearch/certs/elasticsearch.key
output.elasticsearch.ssl.certificate_authorities: /etc/elasticsearch/certs/ca/ca.crt
output.elasticsearch.ssl.verification_mode: strict
output.elasticsearch.username: elastic

logging.metrics.enabled: false

seccomp:
  default_action: allow
  syscalls:
  - action: allow
    names:
    - rseq

Rios · January 22, 2024, 5:56am

It looks like you don't have params for Kibana. Check a similar issue.

Ted0011 · January 22, 2024, 6:28am

Thanks for your help Rios I just figured it out and I have updated my metricbeat.yml file to accept the kibana setup and rerunning the metric beat fingers cross....

system · February 19, 2024, 8:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.