Errors in loading Filebeat template/ Unable to upload Filebeat Template

[fadi abusafat]

Hi. 

I got the following errors while I am trying to load Filebeat template despite Elasticsearch is up and running. 

I used the following command to upload Filebeat 

# filebeat setup --index-management -E setup.template.json.enabled=false

I already uploaded print screen. 

Please, could you help me to figure it out. 

I am using Ubuntu OS. 

Thank you so much. 

Many Thanks, 

[Javier Escobar]

Hello Fadi,

It seems like Filebeat is trying to connect to Elasticsearch OSS or Filebeat OSS connecting to Elasticsearch. Please check that both are OSS version or not OSS. They need to be the same license to work properly. 

If that's not the case please share with us your Filebeat and Elasticsearch versions and your Filebeat configuration at /etc/filebeat/filebeat.yml.

Also, could you check your Filebeat connectivity and share this command output with us?:

filebeat test output

I hope it helps.

Regards,

Javier Escobar

[fadi abusafat]

Dear Javier. 

Thank you so much for your help. 

I already checked version of OSS for both of them and it is the same while there is no connectivity when I applied test for Filebeat. However, I am sharing whole issue that you asked me about. It looks, the problem into configuration despite I followed the order to documentation. Just be familiar, I am working onto VMware station Pro 15 and I am working on Ubuntu Desktop 18. 

Please, could you check uploaded files. 

Many Thanks. 

[Daniel Moreno]

Hello Fadi,

The configuration you shared with us looks fine so we need to go beyond.

Since the ElasticSearch 7.x version, it is necessary to configure some settings as we explain in our documentation. 

Have you set the node.name and cluster.initial_master_nodes options?

I'll be awaiting your response.

Regards.

[fadi abusafat]

Hi Daniel.

Yes I did, node name just only have node-1 while cluster.initial_master_nodes are node-1 and node-2

[fadi abusafat]

Yes, I did. node.name is node-1 and cluster.initial_master_nodes are node-1 and node-2 respectively. 

I followed whole steps precisely as explained into your documentation and till this moment, it stops on the same errors.

On Wednesday, October 9, 2019 at 8:03:02 AM UTC+1, Daniel Moreno wrote:

[fadi abusafat]

I just like to ask, it could be problem from configuration of VMware workstation due to I just made one Network adapter and it is NAT. it could need Bridged which it connected directly yo the physical network _

On Wednesday, October 9, 2019 at 8:03:02 AM UTC+1, Daniel Moreno wrote:

[Daniel Moreno]

Hello Fadi,

Since you are using Filebeat and ElasticSearch together you should be able to connect them regardless of your network configuration.

Could you please share your /etc/elasticsearch/elasticsearch.yml file?

This looks like a known error as we can see here: link.

I would suggest you follow our documentation and reinstall Filebeat and ElasticSearch ( And Kibana if installed ) to get the latest compatible version ( 7.3.2 ).

Regards.

[fadi abusafat]

Hi Daneil 

Thank you so much for your reply.

This elasticsearch configuration file:

# ======================== Elasticsearch Configuration =========================

#

# NOTE: Elasticsearch comes with reasonable defaults for most settings.

#       Before you set out to tweak and tune the configuration, make sure you

#       understand what are you trying to accomplish and the consequences.

#

# The primary way of configuring a node is via this file. This template lists

# the most important settings you may want to configure for a production cluster.

#

# Please consult the documentation for further information on configuration options:

# https://www.elastic.co/guide/en/elasticsearch/reference/index.html

#

# ---------------------------------- Cluster -----------------------------------

#

# Use a descriptive name for your cluster:

#

#cluster.name: my-application

#

# ------------------------------------ Node ------------------------------------

#

# Use a descriptive name for the node:

#

node.name: node-1

#

# Add custom attributes to the node:

#

#node.attr.rack: r1

#

# ----------------------------------- Paths ------------------------------------

#

# Path to directory where to store the data (separate multiple locations by comma):

#

path.data: /var/lib/elasticsearch

#

# Path to log files:

#

path.logs: /var/log/elasticsearch

#

# ----------------------------------- Memory -----------------------------------

#

# Lock the memory on startup:

#

#bootstrap.memory_lock: true

#

# Make sure that the heap size is set to about half the memory available

# on the system and that the owner of the process is allowed to use this

# limit.

#

# Elasticsearch performs poorly when the system is swapping the memory.

#

# ---------------------------------- Network -----------------------------------

#

# Set the bind address to a specific IP (IPv4 or IPv6):

#

network.host: 192.168.118.130

#

# Set a custom port for HTTP:

#

#http.port: 9200

#

# For more information, consult the network module documentation.

#

# --------------------------------- Discovery ----------------------------------

#

# Pass an initial list of hosts to perform discovery when this node is started:

# The default list of hosts is ["127.0.0.1", "[::1]"]

#

#discovery.seed_hosts: ["host1", "host2"]

#

# Bootstrap the cluster using an initial set of master-eligible nodes:

#

cluster.initial_master_nodes: ["node-1", "node-2"]

#

# For more information, consult the discovery and cluster formation module documentation.

#

# ---------------------------------- Gateway -----------------------------------

#

# Block initial recovery after a full cluster restart until N nodes are started:

#

#gateway.recover_after_nodes: 3

#

# For more information, consult the gateway module documentation.

#

# ---------------------------------- Various -----------------------------------

#

# Require explicit names when deleting indices:

#

#action.destructive_requires_name: true

[fadi abusafat]

Also, this Filebeat configuration file:

# Wazuh - Filebeat configuration file

filebeat.modules:

  - module: wazuh

    alerts:

      enabled: true

    archives:

      enabled: false

setup.template.json.enabled: true

setup.template.json.path: '/etc/filebeat/wazuh-template.json'

setup.template.json.name: 'wazuh'

setup.template.overwrite: true

setup.ilm.enabled: false

output.elasticsearch.hosts: ['http://192.168.118.130:9200']

[Daniel Moreno]

Hello Fadi,

Sorry for the late reply.

As we can see in the images, your cluster_uuid value is _nan_, which indicates the cluster is still creating itself. ( Probably the node is not able to join the cluster )

The option network.host tells to ElasticSearch the IP Address to use to listen for the requests.

Does the IP "192.168.118.130" belong to the ElasticSearch node?

Regards.