Send monitoring data Filebeat to HTTPS

v.n · April 29, 2020, 9:23pm

Hi,
I want to make more secure sending monitoring data from filebeat to ES. Earlier it was secured just by login/password which were sent by HTTP that was detected by our internal IDS. So I implemented NGINX on port 9201 and made such a config, section is below:

    #============================== Xpack Monitoring ===============================
    # filebeat can export internal metrics to a central Elasticsearch monitoring
    # cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
    # reporting is disabled by default.

    # Set to true to enable the monitoring reporter.
    monitoring.enabled: true

    # Sets the UUID of the Elasticsearch cluster under which monitoring data for this
    # Filebeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
    # is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
    #monitoring.cluster_uuid:
    monitoring.elasticsearch:
        cluster_uuid: j-xxxxxxxxxxxxxxxxxxxx
        hosts: ["https://test.test.local:9201"]
        username: beats_system
        password: xxxxxxxxxxxxxxxxxxxxx

    # Uncomment to send the metrics to Elasticsearch. Most settings from the
    # Elasticsearch output are accepted here as well.
    # Note that the settings should point to your Elasticsearch *monitoring* cluster.
    # Any setting that is not set is automatically inherited from the Elasticsearch
    # output configuration, so if you have the Elasticsearch output configured such
    # that it is pointing to your Elasticsearch monitoring cluster, you can simply
    # uncomment the following line.
    #monitoring.elasticsearch:

The problem is that filebeat starts and works but nothing is sent to ES. I haven't found any errors in filebeat and ES logs. Maybe something wrong with my config?

Luca_Belluccini · April 29, 2020, 9:45pm

First of all, I would like to inform you it is not necessary to put in place Nginx to secure the cluster with TLS.
You can enable it if you install a basic license and your cluster is on version 6.8 or 7.1+.
You can find more about it here.

Regarding the monitoring data, if you're using a self signed certificate, it is possible you'll have to add:


monitoring.elasticsearch:
  cluster_uuid: j-xxxxxxxxxxxxxxxxxxxx
  hosts: ["https://test.test.local:9201"]
  username: beats_system
  password: xxxxxxxxxxxxxxxxxxxxx
  ssl.certificate_authorities: ["<ca pem file>"]
  ssl.verification_mode: full # set to none if the certificate doesn't contain the correct CN name

In case of doubts, start Filebeat with the parameters -e -d '*' to enable the debug logs

system · May 27, 2020, 9:45pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash output for filebeat xpack monitoring Beats filebeat	5	1012	November 28, 2018
Filebeat monitor via proxy_url Beats filebeat	2	1605	June 26, 2018
Filebeat output to secured HA Elasticsearch Beats filebeat	2	384	April 15, 2021
Filebeat not working with xpack Security enabled in Elasticsearch Beats filebeat	0	156	April 23, 2024
Filebeat monitoring via proxy Beats filebeat	4	4460	May 25, 2018

Send monitoring data Filebeat to HTTPS

Related topics