Hi there, I'm trying to send the logs from Filebeat to Elasticsearch but I'm stuck with a problem regarding credentials or certification.
I have the following configuration in filebeat.yml
filebeat.modules:
- module: my_module
alerts:
enabled: true
archives:
enabled: false
output.elasticsearch:
hosts: ['my_elastic:9200']
protocol: https
user: "${FILEBEAT_KS_USER}"
password: "${FILEBEAT_KS_PASS}"
ssl.enable: true
ssl.verification_mode: full
ssl.certificate_authorities: ["/usr/share/filebeat/config/<ca_chain_cert>"]
ssl.certificate: "/usr/share/filebeat/config/ssl/certs/filebeat-access.pem"
ssl.key: "/usr/share/filebeat/config/ssl/private/filebeat-access.key"
ssl.key_passphrase: "${KEYPASSPHRASE}"
When I try filebeat test output I'm receiving the next output:
# filebeat test output
elasticsearch: https://my_elastic:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 172.20.106.184
dial up... OK
TLS...
security: server's certificate chain verification is enabled
handshake... OK
TLS version: TLSv1.3
dial up... OK
talk to server... ERROR 401 Unauthorized: Unauthorized
Receiving similar logs in elasticsearch
[2021-08-27T09:58:12,303][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe-0] Invalid 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-08-27T09:58:20,450][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe-0] Invalid 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
I've followed Connect filebeat to elasticsearch - #2 by pierhugues and made the workaround to avoid the error explained in this post.
I've tried to harcode the user and password using the elastic credentials and it didn't work but I'm able to make curls with both users, elastic and filebeat successfully but still receiving the authentication error.
Any ideas? Please help
Thanks