filebeat installation error

[habtu deldil]

hello guys please help me ...I am new when i try to install wazuh-server and filebeat this error is faced "    talk to server... ERROR Connection marked as failed because the onConnect callback failed: Filebeat requires the default distribution of Elasticsearch. Please update to the default distribution of Elasticsearch for full access to all free features, or switch to the OSS distribution of Filebeat."

any one can help me?

[Gabriel Fernando Lojano Mayaguari]

Hello habtudeldil12,

Hope you are having a good day so far!

It seems like the problem is related to a version mismatch between Filebeat and Elasticsearch. Elasticsearch has two types of releases for their products, an OSS version, and an X-Pack version.

Your Filebeat is non-OSS and your Elasticsearch is OSS. you can change your current Filebeat version to an OSS version: (filebeat-oss download page), or either change the Elasticsearch version to the licensed one (elasticsearch download page).

Check the Support Matrix to see which version to choose.

Also, I recommend you to follow the Elasticsearch cluster installation guide provided in the wazuh documentation, and the Wazuh cluster installation guide from the documentation as well, keeping both installations in the same version for avoiding incompatibility issues

I hope this answer can solve your issue.

Best regards,

Gabriel Fernando Lojano Mayaguari

[Mumpfelpumf]

Hi,

then it should be fixed in the "Unattended installation" script also https://documentation.wazuh.com/current/installation-guide/open-distro/all-in-one-deployment/unattended-installation.html

It leads to first installing everything except filebeat and then uninstalling everything. So, the script doesn't work.

[Raul Del Pozo Moreno]

Hello Mumpfelpumf

The unattended installation that you share is done through a script and installs the set just by running it, the user who run it does not have to worry since the versions used are compatible.

The unattended installer automatically installs it without the need for the user to do anything, this is done in this order (just like the Step-by-Step procedure):

- Install Wazuh
- Install Elasticsearch
- Install Filebeat
- Install Kibana

The reason why Filebeat is installed after Elasticsearch is because Filebeat requires a connection with Elasticsearch, as can be seen in the last step of the installation by performing the "filebeat test output" command, which shows this result:

elasticsearch: https://127.0.0.1:9200... parse url... OK connection... parse host... OK dns lookup... OK addresses: 127.0.0.1 dial up... OK TLS... security: server's certificate chain verification is enabled handshake... OK TLS version: TLSv1.3 dial up... OK talk to server... OK version: 7.10.2

On the other hand, in a distributed installation (I will refer to Step-by-Step), the Elasticsearch cluster is installed first, then the Wazuh cluster (where Filebeat is also installed) and finally the Kibana phase.  This is intended to follow this order. 

The problem of the user who opened the thread, was that in his installation he mixed different Filebeat packages causing an incompatibility as my colleague mentions. This, with the current guide, does not happen.

Do you have a problem running the unattended script? If so, could you tell us what it is?

Regards, Raul.

[Patrick Kaiser]

Additional info:

I've also pinned the filebeat oss repository for filebeat itself to it, so i get filebeat installed from oss repository, but still the same issue:

apt policy filebeat

 *** 7.10.2 1001

        500 https://artifacts.elastic.co/packages/7.x/apt stable/main amd64 Packages

        100 /var/lib/dpkg/status

     7.10.2 500

        500 https://packages.wazuh.com/4.x/apt stable/main amd64 Packages

Patrick Kaiser schrieb am Mittwoch, 19. Oktober 2022 um 15:25:37 UTC+2:

Hi Raul,

I am running in the same issue. Just found this thread too late, so i opened a new topic with the same context.

I am on ubuntu 20.04LTS and runnning the curl command from quick install guide:

curl -sO https://packages.wazuh.com/4.3/wazuh-install.sh && sudo bash ./wazuh-install.sh -a 

leads me to the error with filebeat. It is 100% reproducable...

Maybe you can check please?

Thanks,

Patrick

[Patrick Kaiser]

ok solved it right now by installing the package manually and installed the filebeat-oss.

looks like the repository is just for non-oss stuff