Verifying ELK stack containers in beats on a host in different network


(Krishna Chandu) #1

Hello everyone,

     I was trying to implement ELK stack  using docker to collect logs from the machines which are in different network, would say that my docker Engine is in a private Network A and my hosts are in another private Network B. I have installed beats on my nodes and was trying to verify the ELK server configured in docker container in Network A. But I was not succeeded in verifying the ELK from beats hosts. 

What I did?
On Network A:

Used sebp/elk image to start a ELK container
Did port forwarding for port 5601, 9200, 5044
Verified if kibana is loading in web and it was success
Generated SSL cert in the ELK container with the public IP of the host where docker was
installed.
copied this SSL cert on to the beats host /etc/pki/tls/certs/
On Network B:

Installed beats in the machine (Not a container)
configured filebeat.yml with the public IP of the Docker host with the port (Say x.x.x.x:8001)
and added ssl cert path
Restarted logstash in Network A and filebeat in Network B and received the following error
Error1 (when generated a cert with public IP of docker host)
.514762 transport.go:125: ERR SSL client failed to connect with: x509: cannot validate certificate for <public_ip of container’s host> because it doesn’t contain any IP SANs.

Error2 when run debug mode: (when generated a cert with private ip of the docker container and given the public IP of the docker host in filebeat.yml file)

2018/06/28 11:57:29.342793 single.go:126: INFO Connecting error publishing events (retrying): Head http://<ELK_HOST_PUBLIC_IP>:8003: read tcp <beat_host_private_ip>:49055-><ELK_HOST_PUBLIC_IP>:8003: read: connection reset by peer

2018/06/28 11:56:56.941473 client.go:302: DBG Ping request failed with: Head http://<ELK_HOST_PUBLIC_IP>:8003: read tcp <beat_host_private_ip>:49053-><ELK_HOST_PUBLIC_IP>:8003: read: connection reset by peer

Could any one please help me with fixing the issue that how can I make a successful verification of the ELK by beats host in a different network


(Andrew Kroh) #2

Elastic has official images available from https://www.docker.elastic.co/.

If you configure a client to connect to an IP address (rather than the hostname listed in the cert's subject) then the certificate must have an IP SAN. You can view your certificate with openssl to check for the existence of an IP.

            X509v3 Subject Alternative Name: 
                IP Address:192.168.99.100

If you are using TLS on the Elasticsearch side then it seems like you forgot to configure the Beats to use HTTPS. It's trying to connect to ES over HTTP which uses the server to RST the connection. Make sure your Beat config puts the scheme in the URL.

output.elasticsearch.hosts: ['https://localhost:9200']


(Krishna Chandu) #3

Thanks much Andrewkroh,

That helped me much to check the cert. Also It was an issue with the beats input conf file which I have mentioned the wrong cert name. It works now and I could see the logs.


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.