Metricbeats kafka module is not using SSL

Hi,

I'm trying to set up the elk monitoring for my kafka cluster using metricbeat kafka module.

My kafka cluster is using SASL_SSL security protocol. I have configured my kafka.yml in metricbeat like below

  • module: kafka
    metricsets: ["partition", "consumergroup", "broker"]
    period: 10s
    hosts: ["host:port"]
    security.protocol: "SASL_SSL"
    sasl.mechanism: "PLAIN"
    ssl.verification_mode: none
    ssl.enabled: true
    ssl.certificate_authorities: ["ca.pem"]
    ssl.certificate: "mycert.pem"
    ssl.key: "mykey.key"

I have verified the connectivity using openssl with above key and cert and SSL level connectivity is okay through openssl. However, when my metricbeat is connecting to Kafka, kafka broker is complaining as below

(errorMessage=SSL handshake failed caused by Unrecognized SSL message, plaintext connection?) (org.apache.kafka.common.network.Selector)
(errorMessage=Unexpected Kafka request of type METADATA during SASL handshake.) (org.apache.kafka.common.network.Selector)

This looks like metricbeat client is trying to connect without using SSL.

Appreciate any help to resolve this.

Thanks in advance!

I'm using ELK and metricbeat version 7.17

Hello, I believe you are missing the SASL part of the configuration

# SASL authentication
  #username: ""
  #password: ""

  # SASL authentication mechanism used. Can be one of PLAIN, SCRAM-SHA-256 or SCRAM-SHA-512.
  # Defaults to PLAIN when `username` and `password` are configured.
  #sasl.mechanism: ''

There should be a user for it.

Please check Here

Regards.

Thanks for the reply @coezdemir

I have added username and password fields, still getting below error in kafka broker side

(errorMessage=SSL handshake failed caused by Unrecognized SSL message, plaintext connection?) (org.apache.kafka.common.network.Selector)

And below error in metricbeat side

Error fetching data for metricset kafka.broker: error making http request: Post "http://<host>:<port>/jolokia/%3FignoreErrors=true&canonicalNaming=false": net/http: HTTP/1.x transport connection broken: malformed HTTP response "\x15\x03\x03\x00\x02\x02P"

Is it expected that metricbeat is using http in this case?

Updated metricbeat kafka yml file is as below

- module: kafka
  metricsets: ["partition", "consumergroup", "broker"]
  period: 10s
  hosts: ["<host>:<port>"] 
  sasl.mechanism: "PLAIN"
  username: "<user>"
  password: "<pwd>"
  ssl.verification_mode: none
  ssl.enabled: true
  sasl.enabled: true
  ssl.certificate_authorities: ["ca.pem"]
  ssl.certificate: "mycert.pem"
  ssl.key: "mykey.key"
  bulk_max_size: 50

Hello,

Could you please share how you are starting the kafka, and which ports you are giving to your metricbeats kafka modules.

As far as I can see, the modules "broker" scrape uses Jolokai agent. So your port has to hit Jolokai port, not the kafka external listener port.

# Kafka metrics collected using the Kafka protocol
- module: kafka
  #metricsets:
  #  - partition
  #  - consumergroup
  period: 10s
  hosts: ["localhost:9092"]

From documentation example config, it can be seen that only "partition" and "consumergroup" metricset is available to be collected from kafkas external port.

# Metrics collected from a Kafka broker using Jolokia
#- module: kafka
#  metricsets:
#    - broker
#  period: 10s
#  hosts: ["localhost:8779"]

The "broker" metric set needs a Jolokai agent port as shown above.

Regards.