Unable to test output with Filebeat to Elasticsearch

Hi there, I'm trying to send the logs from Filebeat to Elasticsearch but I'm stuck with a problem regarding credentials or certification.

I have the following configuration in filebeat.yml

    filebeat.modules:
      - module: my_module
        alerts:
          enabled: true
        archives:
          enabled: false
    output.elasticsearch:
      hosts: ['my_elastic:9200']
      protocol: https
      user: "${FILEBEAT_KS_USER}"
      password: "${FILEBEAT_KS_PASS}"
      ssl.enable: true
      ssl.verification_mode: full
      ssl.certificate_authorities: ["/usr/share/filebeat/config/<ca_chain_cert>"]
      ssl.certificate: "/usr/share/filebeat/config/ssl/certs/filebeat-access.pem"
      ssl.key: "/usr/share/filebeat/config/ssl/private/filebeat-access.key"
      ssl.key_passphrase: "${KEYPASSPHRASE}"

When I try filebeat test output I'm receiving the next output:

# filebeat test output
elasticsearch: https://my_elastic:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 172.20.106.184
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... ERROR 401 Unauthorized: Unauthorized

Receiving similar logs in elasticsearch

[2021-08-27T09:58:12,303][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe-0] Invalid 'Authorization' header, send 401 and 'WWW-Authenticate Basic'
[2021-08-27T09:58:20,450][WARN ][c.a.o.s.h.HTTPBasicAuthenticator] [odfe-0] Invalid 'Authorization' header, send 401 and 'WWW-Authenticate Basic'

I've followed Connect filebeat to elasticsearch - #2 by pierhugues and made the workaround to avoid the error explained in this post.

I've tried to harcode the user and password using the elastic credentials and it didn't work but I'm able to make curls with both users, elastic and filebeat successfully but still receiving the authentication error.

Any ideas? Please help

Thanks

Anyone can advise, please?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.