Unable to send Data from Metricbeat to Elasticsearch over SSL getting error Failed to connect to backoff(elasticsearch(https://xxx.xx.xxx.xx:9202)): Get https://xxx.xx.xxx.xx:9202: Forbidden


(Vrushali) #1

Hi,

I am unable to send the data from metricbeat to elasticsearch over SSL.
My setup is:
Elasticsearch 6.4.2
Metricbeat 6.6.1

I have done the following steps:

  1. Install Elasticsearch

  2. Create CA and Certificates
    Create the CA as follows
    bin/elasticsearch-certutil ca --pem

    Create the certificates as follows
    bin/elasticsearch-certutil cert --ca-cert config/certi/ca/ca.crt --ca-key config/certi/ca/ca.key --pem

  3. In elasticsearch.yml
    path.data: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/data
    path.logs: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/logs
    network.host: xxx.xx.xxx.xx
    http.port: 9202
    #----------------------------------- X-Pack ------------------------------------
    xpack.security.enabled: true
    xpack.security.transport.ssl.enabled: true
    xpack.security.transport.ssl.verification_mode: certificate
    xpack.security.transport.ssl.key: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/config/certs/instance/instance.key
    xpack.security.transport.ssl.certificate: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/config/certs/instance/instance.crt
    xpack.security.transport.ssl.certificate_authorities: [ "/mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/config/certs/ca/ca.crt" ]

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.verification_mode: certificate
xpack.security.http.ssl.key: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/config/certs/instance/instance.key
xpack.security.http.ssl.certificate: /mnt/appln/elkuser/withoutdns/elasticsearch-6.4.2/config/certs/instance/instance.crt

Started the elasticsearch

  1. metricbeat.yml

output.elasticsearch:
hosts: ["xxx.xx.xx.xx:9202"]
protocol: "https"
username: "elastic"
password: "verysecret"
ssl.certificate_authorities: ["/mnt/appln/elkuser/withoutdns/metricbeat-6.6.1-linux-x86_64/certs/ca/ca.pem"]
ssl.certificate: "/mnt/appln/elkuser/withoutdns/metricbeat-6.6.1-linux-x86_64/certs/instance/instance.pem"
ssl.key: "/mnt/appln/elkuser/withoutdns/metricbeat-6.6.1-linux-x86_64/certs/instance/instance.key"

and then started the metricbeat using
./metricbeat -e

But I am unable to send the metric data to elasticsearch and getting the error as
"Failed to connect to backoff(elasticsearch(https://xxx.xx.xxx.xx:9202)): Get https://xxx.xx.xxx.xx:9202: Forbidden"
The certificates I have created are all without dns name and so I am using IP in metricbeat.yml


(Mark Walkom) #2

By default Elasticsearch will only listen to localhost. You may want to add a network.host config option to make it listen to other addresses.