ERROR FROM FILEBEAT

2,741 views
Skip to first unread message

Karthikraja

unread,
Jan 15, 2021, 5:12:57 AM1/15/21
to wa...@googlegroups.com
Got struct with this errors of filebeat ,more than a week can someone please help me to solve this

note: Installation type followed is step-by-step method in all in one installation
ERROR MESSAGE ONE:

[root@host]# filebeat test output

elasticsearch: https://172.20.8.86:9200...

  parse url... OK

  connection...

    parse host... OK

    dns lookup... OK

    addresses: 172.20.8.86

    dial up... OK

  TLS...

    security: server's certificate chain verification is enabled

    handshake... ERROR x509: certificate is valid for 127.0.0.1, not 172.20.8.86


ERROR MESSAGE TWO: 

[root@host certs]# systemctl status filebeat -l

● filebeat.service - Filebeat sends log files to Logstash or directly to Elasticsearch.

   Loaded: loaded (/usr/lib/systemd/system/filebeat.service; enabled; vendor preset: disabled)

   Active: active (running) since Fri 2021-01-15 15:07:19 IST; 29min ago

     Docs: https://www.elastic.co/products/beats/filebeat

 Main PID: 13952 (filebeat)

    Tasks: 20

   CGroup: /system.slice/filebeat.service

           └─13952 /usr/share/filebeat/bin/filebeat --environment systemd -c /etc/filebeat/filebeat.yml --path.home /usr/share/filebeat --path.config /etc/filebeat --path.data /var/lib/filebeat --path.logs /var/log/filebeat

 

Jan 15 15:35:47 host filebeat[13952]: 2021-01-15T15:35:47.217+0530        ERROR        [publisher_pipeline_output]        pipeline/output.go:154        Failed to connect to backoff(elasticsearch(https://172.20.8.86:9200)): Get "https://172.20.8.86:9200": x509: certificate is valid for 127.0.0.1, not 172.20.8.86

Jan 15 15:35:47 host filebeat[13952]: 2021-01-15T15:35:47.217+0530        INFO        [publisher_pipeline_output]        pipeline/output.go:145        Attempting to reconnect to backoff(elasticsearch(https://172.20.8.86:9200)) with 41 reconnect attempt(s)

Jan 15 15:35:47 host filebeat[13952]: 2021-01-15T15:35:47.217+0530        INFO        [publisher]        pipeline/retry.go:213        retryer: send wait signal to consumer

Jan 15 15:35:47 host filebeat[13952]: 2021-01-15T15:35:47.217+0530        INFO        [publisher]        pipeline/retry.go:217          done

Jan 15 15:35:49 host filebeat[13952]: 2021-01-15T15:35:49.892+0530        INFO        [monitoring]        log/log.go:145        Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":330,"time":{"ms":7}},"total":{"ticks":1020,"time":{"ms":28},"value":1020},"user":{"ticks":690,"time":{"ms":21}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"5cd96b95-4eff-4739-9528-c338779f8064","uptime":{"ms":1710032}},"memstats":{"gc_next":16465280,"memory_alloc":8306552,"memory_total":48898832},"runtime":{"goroutines":22}},"filebeat":{"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":1111,"retry":50}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":2.36,"15":2.32,"5":2.32,"norm":{"1":0.1475,"15":0.145,"5":0.145}}}}}}

Jan 15 15:36:19 host filebeat[13952]: 2021-01-15T15:36:19.890+0530        INFO        [monitoring]        log/log.go:145        Non-zero metrics in the last 30s        {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":330,"time":{"ms":1}},"total":{"ticks":1030,"time":{"ms":8},"value":1030},"user":{"ticks":700,"time":{"ms":7}}},"handles":{"limit":{"hard":4096,"soft":1024},"open":10},"info":{"ephemeral_id":"5cd96b95-4eff-4739-9528-c338779f8064","uptime":{"ms":1740034}},"memstats":{"gc_next":16465280,"memory_alloc":8609472,"memory_total":49201752},"runtime":{"goroutines":22}},"filebeat":{"harvester":{"open_files":1,"running":1}},"libbeat":{"config":{"module":{"running":0}},"pipeline":{"clients":1,"events":{"active":1111}}},"registrar":{"states":{"current":1}},"system":{"load":{"1":2.59,"15":2.34,"5":2.37,"norm":{"1":0.1619,"15":0.1463,"5":0.1481}}}}}}

Jan 15 15:36:38 host filebeat[13952]: 2021-01-15T15:36:38.717+0530        ERROR        [publisher_pipeline_output]        pipeline/output.go:154        Failed to connect to backoff(elasticsearch(https://172.20.8.86:9200)): Get "https://172.20.8.86:9200": x509: certificate is valid for 127.0.0.1, not 172.20.8.86

Jan 15 15:36:38 host filebeat[13952]: 2021-01-15T15:36:38.717+0530        INFO        [publisher_pipeline_output]        pipeline/output.go:145        Attempting to reconnect to backoff(elasticsearch(https://172.20.8.86:9200)) with 42 reconnect attempt(s)


--
With Regards,
Karthikraja. A

Franco Hielpos

unread,
Jan 18, 2021, 11:44:55 AM1/18/21
to Karthikraja, Wazuh mailing list
Hello Karthikraja,

This issue is because your elasticsearch certificate is created for 127.0.0.1 and not for 172.20.8.86

You have two possible ways to fix this:
1. Modifying the output.elasticsearch.hosts setting from /etc/filebeat/filebeat.yml from " 172.20.8.86:9200" to "127.0.0.1:9200".

2. Re-create your certificates and modify the IP address.


After downloading the search-guard.yml file, modify the elasticsearch section replacing 127.0.0.1with 172.20.8.86

nodes:
  - name: elasticsearch
    dn: CN=node-1,OU=Docu,O=Wazuh,L=California,C=US
    ip:
      - 172.20.8.86

It would be advisable to do the same  with Kibana certificate's as well. After that, you can continue with the process of creating the certificates. Once finished, you should replace all your certificates from Elasticsearch, Kibana and Filebeat, and finally, execute the securityadmin tool as indicated in the documentation:

/usr/share/elasticsearch/plugins/opendistro_security/tools/securityadmin.sh -cd /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/ -nhnv -cacert /etc/elasticsearch/certs/root-ca.pem -cert /etc/elasticsearch/certs/admin.pem -key /etc/elasticsearch/certs/admin.key

Let me know if this solves your problem!


--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/CAK4g2s7zHozD%2BgFjggnLQk7Sb9ic%2BopzdtiMqgRAVymWcNbJFg%40mail.gmail.com.


--
Franco Hielpos

Karthikraja

unread,
Jan 19, 2021, 10:04:28 AM1/19/21
to Franco Hielpos, Wazuh mailing list
Thanks Franco it worked very well.Thanks for your help

Reply all
Reply to author
Forward
0 new messages