Packetbeat will not GET Kibana HTTPS

Elks2020 · March 15, 2021, 3:00am

Hello everyone,
I need help to figure-out the following problem to be fixed where the packetbeat won't start!

' ' '
packetbeat[523584]: Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://192.168.1.10:5601/api/status fails: fail to execute
' ' '
Where the
1- packetbeat test as follow:
' ' '
[root@centos8 ~]# packetbeat test config
Config OK
[root@centos8 ~]#
[root@mycentos8 ~]# packetbeat test output
elasticsearch: https://192.168.1.10:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 192.168.1.10
dial up... OK
TLS...
security... WARN server's certificate chain verification is disabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... OK
version: 7.11.2
[root@mycentos8 ~]#
[root@mycentos8 ~]#
' ' '

Access the link https://192.168.1.10:5601/api/status
' ' '
|statusCode|401|
|---|---|
|error|"Unauthorized"|
|message|"Unauthorized"|
' ' '

2- Packetbeat config

setup.kibana:
' ' '
host: "https://192.168.1.10:5601"
protocol: "https"
ssl.enabled: true
username: "kibanauser"
password: "password1"
server.ssl.enabled: true
server.ssl.certificate: /ca/packetbeatca/ca/ca.crt
server.ssl.key: /ca/packetbeatca/ca/ca.key
server.ssl.verification_mode: none
ssl.certificate_authorities: ["/ca/packetbeatca/ca/elastic-certificate-tool-autogenerated-ca.pem"]
' ' '

3- Kibana.yml
' ' '
server.port: 5601
server.host: "0.0.0.0"
' ' '

shaunak · March 15, 2021, 7:34pm

From the machine that is running Packetbeat, can you try making a curl request to the Kibana Status API?

curl -s -v -u kibanauser:password1 "https://192.168.1.10:5601/api/status"

What does this return?

Shaunak

Elks2020 · March 15, 2021, 11:40pm

[quote="shaunak, post:2, topic:267210"]
`curl -s -v -u kibanauser:password1 "https://192.168.1.10:5601/api/status"`
[/quote]

Thank Shaunak
The return output is the following:

    # curl -s -v -u kibanauser:password1 "https://192.168.1.10:5601/api/status"
    *   Trying 192.168.1.10..
    * TCP_NODELAY set
    * Connected to 192.168.1.10 (192.168.1.10) port 5601 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *   CAfile: /etc/pki/tls/certs/ca-bundle.crt
      CApath: none
    * TLSv1.3 (OUT), TLS handshake, Client hello (1):
    * TLSv1.3 (IN), TLS handshake, Server hello (2):
    * TLSv1.3 (IN), TLS handshake, [no content] (0):
    * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
    * TLSv1.3 (IN), TLS handshake, [no content] (0):
    * TLSv1.3 (IN), TLS handshake, Certificate (11):
    * TLSv1.3 (OUT), TLS alert, unknown CA (560):
    * SSL certificate problem: self signed certificate
    * Closing connection 0

Elks2020 · March 18, 2021, 10:27pm

Any luck?
if not, do you know best documents describe step-by-step installing certificates (not the online manual) for
1- Elastic - Kibana SSL
2- Packetbeat - Kibana SSL
3- XPACK
Would shed the light on the certificate difference for each one?

shaunak · March 18, 2021, 11:58pm

Maybe this blog post can help? Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash | Elastic Blog

Shaunak

Elks2020 · March 19, 2021, 12:04am

Thanks

Elks2020 · March 20, 2021, 4:09am

The problem is resolved.
The cause of the problem is the "kibana" user. The user privilege's can not run

packetbeat setup

To solve the problem: either use a different user i.e., "kibana_system" or add admin index privilege to the user.
All worked no error in getting Kibana version and dashboard created successfully

system · April 17, 2021, 6:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.