[SOLVED] Issue with Filebeat

Not sure where to exactly put this, in terms of category. So, something really confuses me here: https://docs.rocknsm.io/services/#published-urls-and-ports

On one hand, it says it uses lighttpd for hosting, which for some reason is set to port 443, but then on the same page it says kibana’s port is 5601. Both are listening when checking the ports.

Here comes the main issue. I’m trying to add filebeats to my rocknsm server from the machines on my network, but every time I go to add them and point to the host, there’s an error connecting to Kibana.

Exiting: error connecting to Kibana : fail to get the Kibana version: HTTP GET to /api/status fails: fail to execute the HTTP GET request.

Now, I’ve changed the config file to try various ports, examples:

http://<ip>:<port>
https://<ip>:<port>
http://<hostname>:<port>
https://<hostname>:<port>

I’ve tried port 80, 443, 5601 on each, even with added paths like app/kibana or app/kibana/dashboards.

No dice. Any pointers would be helpful, the lighttpd may need openssl, I’m thinking to get it to work (which I’ll be testing here momentarily), or I can switch out the config for lighttpd to force to use port 80. Either way, something to think on.

Thanks,

-David V

Alright, so I solved this. I’m not using this for production so I reconfigured the lighttpd configuration. In case anyone is curious, here are the steps I took:

First, I reconfigured my lighttpd config to go through port 80. I stress, this is for testing purposes, and I would have rather done an actual x509 cert using TLS. Now, that you’ve been warned, I went to /etc/lighttpd/vhosts.d/10-tls.conf. Here’s the config:

#######################################################################
# Lighttpd shared authentication
# file: /etc/lighttpd/vhosts.d/10-tls.conf
#
# Ansible managed
#

# Upgrade to TLS (works on lighttpd >= 1.4.50)
$HTTP["scheme"] == "http" {
        server.port = 80
        server.bind = "192.168.90.3"
}

Then just restart the service: sudo systemctl restart lighttpd

From there, you’ll need to setup your filebeats on each remote machine just like they instruct you to on Kibana. Make sure your elasticsearch is accessible from the outside, it’s pre-configured to only “listen” on the localhost itself.

So, go to /etc/elasticsearch/elasticsearch.yml and set it to listen to the outside:

network.host: 0.0.0.0

Restart elasticsearch: sudo systemctl restart elasticsearch

One thing they don’t mention and which should be obvious, which wasn’t to me for some reason, is you need the creds from Kibana to communicate. So, my filebeat config looks like this (similar to what it instructs you on kibana filebeat setup instructions). Please note, that my elasticsearch has no creds setup, so they were left commented out.

NOTE: You must, I emphasize, have the port number on the Kibana URL point to 80. If you don’t, it will default to 5601, which is not used by lighttpd.

output.elasticsearch:
  hosts: ["<es_url>"]
setup.kibana:
  host: "http://<kibana_url>:80"
  username: "username"
  password: "password"

From there, this should work. Btw, I wrote an ansible script to make this easier for myself. Since RockNSM has ansible installed, why not use it?

This is for debian/ubuntu servers, btw.

################################################################################
# Script      : modules-filebeat-setup.yml
# Author      : fury
# Date        : 10/20/2019
# Description : Setup system filebeat module to point to RockNSM Server to
#               collect syslog data
#################################################################################
---
# Run with ansible-playbook <filename> -u root
#      (make sure to add the IPs of machines you want to manage to /etc/ansible/hosts first)

- hosts: ubuntuservers
  remote_user: vmadmin
  become: yes
  become_method: sudo

  vars:
    # Pick Module
    module: "system"

  tasks:
    - name: Download the Systems Filebeat Module
      get_url:
        url: https://artifacts.elastic.co/downloads/beats/filebeat/filebeat-7.4.0-amd64.deb
        dest: /tmp/filebeat.deb
        mode: 0750

    - name: Install DEB Package
      command: dpkg -i /tmp/filebeat.deb

    - name: Update filebeat.yml
      template:
        src: "configs/filebeat.yml"
        dest: "/etc/filebeat/filebeat.yml"

    - name: Enable and Configure Module
      command: filebeat modules enable {{ module }}

    - name: Start Filebeat
      command: filebeat setup
      notify:
        - restart filebeat

  handlers:
    - name: restart filebeat
      service:
        name: filebeat
        state: restarted

Reference: https://www.elastic.co/guide/en/elasticsearch/reference/current/configuring-filebeat.html

Good luck.