Error during metricbeat or filebeat setup

Hi all!
I have a big problem when I try to setup filebeat or metricbeat…

I recieve this message:
Exiting: Couldn't connect to any of the configured Elasticsearch hosts. Errors: [Error connection to Elasticsearch https://localhost:9200: Connection marked as failed because the onConnect callback failed: cannot retrieve the elasticsearch license: error from server, response code: 500]

In the elasticsearch logs I found this:

[2019-05-08T17:00:33,129][ERROR][c.a.o.s.f.OpenDistroSecurityFilter] [EV--xse] Unexpected exception [_xpack] InvalidIndexNameException[Invalid index name [_xpack], must not start with '_'.]
org.elasticsearch.indices.InvalidIndexNameException: Invalid index name [_xpack], must not start with '_'.

Could anyone help me please?

Hiya -

Are you using the OSS versions of the Beats agents (not the commercial ones)? They recently added a license check that makes the default downloaded beats agents non-compatible with the OSS version of Elasticsearch.

For metricbeat - you want this one: Metricbeat OSS 6.7.2 | Elastic

Same for filebeat: Filebeat OSS 6.7.2 | Elastic

Not positive if that is your issue but it is likely given the error.

Thanks a lot carlmead!!
Unfortunately this solution doesn’t work…

After the filebeat-oss setup I have launched these commands:

sudo filebeat modules enable elasticsearch
sudo filebeat setup

and this is the output:

xxx@ip:~$ sudo filebeat setup
Loaded index template
Loading dashboards (Kibana must be running and reachable)
Loaded dashboards

Exiting: 2 errors: Error checking if xpack is available: 500 Internal Server Error:

{
  "error": {
    "root_cause": [
      {
        "type": "security_exception",
        "reason": "Unexpected exception indices:admin/get"
      }
    ],
    "type": "security_exception",
    "reason": "Unexpected exception indices:admin/get"
  },
  "status": 500
}

And in the elasticsearch logs:

[2019-05-09T08:01:21,378][ERROR][c.a.o.s.f.OpenDistroSecurityFilter] [EV--xse] Unexpected exception [_xpack] InvalidIndexNameException[Invalid index name [_xpack], must not start with '_'.]
org.elasticsearch.indices.InvalidIndexNameException: Invalid index name [_xpack], must not start with '_'.

This is really curious …

I solved with OSS installations and this link Filebeat connection issue - #4 by kk23

and filebeat startup command is: sudo filebeat setup -e --dashboards --pipelines --template

thanks

This solved it for me:

It turns out that starting in one of the 7.x versions they turned on index lifecycle management checks by default. ILM (index lifecycle management) is an X-Pack feature, so turning this on by default means that Filebeat will do an X-Pack check by default.

This can be fixed by adding setup.ilm.enabled: false to the Filebeat configuration. So, not a bug per se in the OSS Docker build.

Hello @carlmead,

May I know which docker image we can use for filebeat to work with Opensearch?

We wanted to use open source version filebeat image for opensearch.

Thanks,
Sabil

Hello @grad,

Do you know which docker image for filebeat can be used to work with Opensearch?

It would be really helpful if you can assist me on how to setup filebeat with opensearch using docker container.

Thanks,
Sabil.