I am trying to send logs from Winbeat I have tried logstash and elasticsearch and googled every possible setting with SSL to send the logs I keep getting this error

I have also added the cer in the same folder and also tried to creat a folder called SSL and move the certs there still no luck

Hi everyone

I tried to change license type to 'Basic' in elasticsearch/config/elasticsearch.yml file but I found this log in elasticsearch container:

{"type": "server", "timestamp": "2021-05-22T06:24:11,812Z", "level": "INFO", "component": "o.e.l.LicenseService", "cluster.name": "docker-cluster", "node.name": "elasticsearch", "message": "license [92248c89-3ac2-4729-b73a-1611606a09e6] mode [trial] - valid", "cluster.uuid": "uM8gkmVjSj2ghP8eM3sJlA", "node.id": "YzNhrfDCRH-46DRq-E8MfA" }
{"type": "server", "timestamp": "2021-05-22T06:24:11,814Z", "level": "INFO", "component": "o.e.x.s.s.SecurityStatusChangeListener", "cluster.name": "docker-cluster", "node.name": "elasticsearch", "message": "Active license is now [TRIAL]; Security is enabled", "cluster.uuid": "uM8gkmVjSj2ghP8eM3sJlA", "node.id": "YzNhrfDCRH-46DRq-E8MfA" }`

Can you help me to have this ELK with basic license?

Hello,

When I follow the Letsencrypt Walthrough document, elasticsearch throws the following error.

elasticsearch | {"type": "server", "timestamp": "2022-01-18T03:03:17,545Z", "level": "WARN", "component": "o.e.x.s.t.n.SecurityNetty4HttpServerTransport", "cluster.name": "elk-tls-cluster", "node.name": "elasticsearch", "message": "http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/172.19.0.2:9200, remoteAddress=/172.19.0.5:51048}", "cluster.uuid": "DsG__rYzS4GNZ69miZs_Fg", "node.id": "l9xk4d7BSECjE9QYPfDOEg" }

Elasticsearch doesn't come up at all and hence when I access https://kibana.example.com, I see Kibana server is not ready yet.

Logs from kibana container:

kibana | {"type":"log","@timestamp":"2022-01-18T03:02:57+00:00","tags":["error","savedobjects-service"],"pid":1220,"message":"Unable to retrieve version information from Elasticsearch nodes. unable to verify the first certificate"}

I am not sure why I need to run docker-compose -f docker-compose.setup.yml run --rm certs multiple times, that is confusing.

.env

ELK_VERSION=7.15.0
ELASTIC_USERNAME=elastic
ELASTIC_PASSWORD=some_password
KIBANA_URL=https://0.0.0.0:5601

# Configuration Variables
ELASTICSEARCH_HEAP=2g
LOGSTASH_HEAP=1g
PACKETBEAT_HEAP=256m
FILEBEAT_HEAP=256m
METRICBEAT_HEAP=256m
XPACK_ENCRYPTION_KEY=somesuperlongstringlikethisoneMQBbtsynu4bV2uxLy

# Self signed TLS certificates
CA_PASSWORD=some_password
CA_DAYS=3650
ELASTIC_DIR=/usr/share/elasticsearch
LOGSTASH_DIR=/usr/share/logstash
KIBANA_DIR=/usr/share/kibana
PACKETBEAT_DIR=/usr/share/packetbeat
FILEBEAT_DIR=/usr/share/filebeat
METRICBEAT_DIR=/usr/share/metricbeat

# Letsencrypt certificates
## Setting STAGING to true means it will generate self-signed certificates
## Setting STAGING to false means it will generate letsencrypt certificates
STAGING=false
#STAGING=true

# swag Configuration
DOMAIN=example.com
SUBDOMAIN=kibana
#SUBFOLDER=kibana
[email protected]
TIMEZONE=America/Chicago

docker version

Client: Docker Engine - Community
 Version:           20.10.12
 API version:       1.41
 Go version:        go1.16.12
 Git commit:        e91ed57
 Built:             Mon Dec 13 11:45:41 2021
 OS/Arch:           linux/amd64
 Context:           default
 Experimental:      true

Server: Docker Engine - Community
 Engine:
  Version:          20.10.12
  API version:      1.41 (minimum version 1.12)
  Go version:       go1.16.12
  Git commit:       459d0df
  Built:            Mon Dec 13 11:44:05 2021
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.4.12
  GitCommit:        7b11cfaabd73bb80907dd23182b9347b4245eb5d
 runc:
  Version:          1.0.2
  GitCommit:        v1.0.2-0-g52b36a2
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker-compose version

docker-compose version 1.29.2, build 5becea4c
docker-py version: 5.0.0
CPython version: 3.7.10
OpenSSL version: OpenSSL 1.1.0l  10 Sep 2019

elk-tls-docker version - 1.3.0

I tried with both options SUBDOMAIN and SUBFOLDER, only to end up in similar errors. Any help here would be appreciated.

When running docker-compose -f docker-compose.setup.yml run --rm certs

i get the following error:

Archive:  /secrets/bundle.zip
   creating: /secrets/certificates/elasticsearch/
  inflating: /secrets/certificates/elasticsearch/elasticsearch.crt
  inflating: /secrets/certificates/elasticsearch/elasticsearch.key
   creating: /secrets/certificates/kibana/
  inflating: /secrets/certificates/kibana/kibana.crt
  inflating: /secrets/certificates/kibana/kibana.key
   creating: /secrets/certificates/logstash/
  inflating: /secrets/certificates/logstash/logstash.crt
  inflating: /secrets/certificates/logstash/logstash.key
====== Setting up Default User Passwords ======
=====================================================

Running with configuration path: /usr/share/elasticsearch/config

ERROR: Elasticsearch keystore file is missing [/usr/share/elasticsearch/config/elasticsearch.keystore]
ERROR: 78

i manually created the dir structure and copied the keystore file in there reran the script expecting it to error as its and 'older' version, but i still get same error. Chmod the dir to 777 in vain hope it was permissions but no joy.

any idea ?

Hi,

I'm trying to use the code using the 8.0.0, I'm getting an error from kibana

[root] Error: [config validation of [xpack.security].enabled]: definition for this key is missing

Best,

When following the instructions provided by the Example LetsEncrypt Walkthrough the script fails at step 4.

My output for each step is as follows:

• step2.txt
• step3.txt
• step4.txt

When looking at setup/setup.sh I suspect there is a bug in lines L134 and L136.

Currently, they are pointing to $OUTPUT_DIR/ca/ca.crt whereas I suspect they are intended to point to $CA_DIR/ca/ca.crt.

Unfortunately, I have not been able to successfully run the project (Kibana still resorting to self-signed certificates), so even though I can progress to step 5 with this fix I cannot confirm that this fix is desired.

My configuration looks like:

ELK_VERSION=7.12.0
ELASTIC_USERNAME=elastic
ELASTIC_PASSWORD="complexPassword1"

# Configuration Variables
ELASTICSEARCH_HEAP=2g
LOGSTASH_HEAP=1g
PACKETBEAT_HEAP=256m
FILEBEAT_HEAP=256m
METRICBEAT_HEAP=256m
XPACK_ENCRYPTION_KEY="complexPassword2"

# Self signed TLS certificates
CA_PASSWORD="complexPassword3"
CA_DAYS=3650
ELASTIC_DIR=/usr/share/elasticsearch
LOGSTASH_DIR=/usr/share/logstash
KIBANA_DIR=/usr/share/kibana
PACKETBEAT_DIR=/usr/share/packetbeat
FILEBEAT_DIR=/usr/share/filebeat
METRICBEAT_DIR=/usr/share/metricbeat

# Letsencrypt certificates
## Setting STAGING to true means it will generate self-signed certificates
## Setting STAGING to false means it will generate letsencrypt certificates
STAGING=false
#STAGING=true

# swag Configuration
DOMAIN=dragonfly.ink
SUBDOMAIN=kibana
#SUBFOLDER=kibana
EMAIL=[email protected]
TIMEZONE=Pacific/Auckland

Let me know what other information is required to help diagnose. 😄

I keep getting 400 error and it doesn't work

I have this issue after 30 days every month the license goes from basic to trail and every things fucked up. I even can't login to Kibana. As license for elk change from dev, it's need to very serious attention and maybe you should test ASAP. thx

Hello,

Thanks for the great work in packaging ELK up with automated LetsEncrypt certificate generation. However, I met with the following error after following this instruction (https://github.com/swimlane/elk-tls-docker/wiki/Letsencrypt%20Walkthrough). I wonder if anyone has met with the same problem?

Appreciate if anyone can give me some hints on how to fix this. Otherwise, I might need to dig into swag or code to find out. Thanks in advance!

swag             | Challenge failed for domain XXX.com
swag             | http-01 challenge for XXX.com
swag             | Cleaning up challenges
swag             | Some challenges have failed.
swag             | IMPORTANT NOTES:
swag             |  - The following errors were reported by the server:
swag             |
swag             |    Domain: XXX.com
swag             |    Type:   unauthorized
swag             |    Detail: Invalid response from
swag             |    https://XXX.com/.well-known/acme-challenge/gV0DmNr01runTM7ccLtiNzFCmhUxezctcfMbvYOFnp8
swag             |    [2606:4700:3035::ac43:9b62]: "<html>\n<head><title>404 Not
swag             |    Found</title></head>\n<body>\n<center><h1>404 Not
swag             |    Found</h1></center>\n<hr><center>nginx</center>\n</bod"
swag             |
swag             |    To fix these errors, please make sure that your domain name was
swag             |    entered correctly and the DNS A/AAAA record(s) for that domain
swag             |    contain(s) the right IP address.
swag             | ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

I am trying to use filebeat to monitor docker container logs. But, am getting the following error with TLS way

This is how my filebeat.yml looks like -
filebeat.inputs:
- type: container
enabled: true
paths:
- '/var/lib/docker/containers//.log'

output.logstash:
enabled: true
hosts: ["logstash:5045"]
ssl.certificate_authorities: ["${CONFIG_DIR}/ca.crt"]
ssl.certificate: "${CONFIG_DIR}/filebeat.crt"
ssl.key: "${CONFIG_DIR}/filebeat.key"

In docker-compose.yml, for file beat service -

filebeat:
container_name: filebeat
hostname: filebeat
build:
context: filebeat/
args:
ELK_VERSION: $ELK_VERSION
restart: unless-stopped
command: >
sh -c "filebeat -e -strict.perms=false"
volumes:
- ./filebeat/config/filebeat.yml:${FILEBEAT_DIR}/filebeat.yml:ro
- /var/lib/docker/containers:/var/lib/docker/containers:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
environment:
CONFIG_DIR: ${FILEBEAT_DIR}/config
LS_JAVA_OPTS: "-Xmx${FILEBEAT_HEAP} -Xms${FILEBEAT_HEAP}"
ELASTIC_USERNAME: ${ELASTIC_USERNAME}
ELASTIC_PASSWORD: ${ELASTIC_PASSWORD}
secrets:
- source: ca.crt
target: ${FILEBEAT_DIR}/config/ca.crt
- source: filebeat.cert
target: ${FILEBEAT_DIR}/config/filebeat.crt
- source: filebeat.key
target: ${FILEBEAT_DIR}/config/filebeat.key
user: root
ports:
- "9000:9000"
networks:
- elk
depends_on:
- logstash

pipeline/output.go:154 Failed to connect to backoff(async(tcp://logstash:5045)): dial tcp 172.22.0.4:5045: connect: connection refused

I am stuck with this issue for past 3days and couldn't find a solution. Hope you can help here

docker-compose -f docker-compose.setup.yml up
WARNING: The SUBFOLDER variable is not set. Defaulting to a blank string.
Starting certs ... done
Attaching to certs
certs    | Loaded plugins: fastestmirror, ovl
certs    | Loading mirror speeds from cached hostfile
certs    |  * base: ftp.funet.fi
certs    |  * extras: ftp.funet.fi
certs    |  * updates: ftp.funet.fi
certs    | Package unzip-6.0-21.el7.x86_64 already installed and latest version
certs    | Package 1:openssl-1.0.2k-21.el7_9.x86_64 already installed and latest version
certs    | Nothing to do
certs    | ========== Creating Elasticsearch Keystore ==========
certs    | =====================================================
certs    | Setting bootstrap password...
certs    | Remove old elasticsearch.keystore
certs    | Saving new elasticsearch.keystore
certs    | ======= Keystore setup completed successfully =======
certs    | =====================================================
certs    | ====== Generating Elasticsearch Certificates ======
certs    | =====================================================
certs    | Using letsencrypt certificate authority generated by swag
certs    | Removing CA certificates folder....
certs    | cp: cannot stat '/swag/keys/cert.crt': No such file or directory
certs exited with code 1

Is there anything I'm doing wrong?

can you provide it with 3 nodes ?

If ELK_VERSION is greater than or equal to 7.17.0, then any beats containers break.

As documented in this beats pull request, from 7.17.0 the base image of beats images changed from CentOs to Ubuntu.

The current setup relies heavily on yum and the update-ca-trust command to properly apply ca-certificates. The various Dockerfiles for the containers should be updated to support this change.

Add documentation explaining the subfolders and their Dockerfiles as well as configuration files in each

Hello There!

I ran into an issue while setting up certificates.
here is my ERROR:
WARNING: The SUBFOLDER variable is not set. Defaulting to a blank string. Creating elk-stack_certs_run ... done /usr/share/elasticsearch/config/setup.sh: /usr/share/elasticsearch/config/setup.sh: Is a directory ERROR: 126

I tried to solve it by amending my configuration but I could not.
now I can't even set it up by your default configuration neither.(same issue happens)
please help!

Hi,

when composing docker stack im getting below error msg:

elasticsearch | Exception in thread "main" org.elasticsearch.bootstrap.BootstrapException: org.elasticsearch.cli.UserException: will not overwrite keystore at [/usr/share/elasticsearch/config/elasticsearch.keystore], because this incurs changing the file owner elasticsearch | Likely root cause: org.elasticsearch.cli.UserException: will not overwrite keystore at [/usr/share/elasticsearch/config/elasticsearch.keystore], because this incurs changing the file owner elasticsearch | at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:608) elasticsearch | at org.elasticsearch.common.settings.KeyStoreWrapper.save(KeyStoreWrapper.java:540) elasticsearch | at org.elasticsearch.common.settings.KeyStoreWrapper.upgrade(KeyStoreWrapper.java:339) elasticsearch | at org.elasticsearch.common.settings.KeyStoreWrapper.bootstrap(KeyStoreWrapper.java:225) elasticsearch | at org.elasticsearch.bootstrap.BootstrapUtil.loadSecureSettings(BootstrapUtil.java:60) elasticsearch | at org.elasticsearch.bootstrap.BootstrapUtil.loadSecureSettings(BootstrapUtil.java:55) elasticsearch | at org.elasticsearch.bootstrap.Bootstrap.init(Bootstrap.java:301) elasticsearch | at org.elasticsearch.bootstrap.Elasticsearch.init(Elasticsearch.java:166) elasticsearch | at org.elasticsearch.bootstrap.Elasticsearch.execute(Elasticsearch.java:157) elasticsearch | at org.elasticsearch.common.cli.EnvironmentAwareCommand.execute(EnvironmentAwareCommand.java:81) elasticsearch | at org.elasticsearch.cli.Command.mainWithoutErrorHandling(Command.java:112) elasticsearch | at org.elasticsearch.cli.Command.main(Command.java:77) elasticsearch | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:122) elasticsearch | at org.elasticsearch.bootstrap.Elasticsearch.main(Elasticsearch.java:80

Due to that elastisearch container is restarting. Didn't changed any values in .env or in setup.sh file. Using example .env file with no Stagging.

Any ideas how to fix it?

One situation is that you have to clone the entire repo currently - is there a way around this to just copy a handful of files

I have followed the instruction on what ned to be changed in swage and I am getting an error

ERROR: for elasticsearch Cannot create container for service elasticsearch: invalid mount config for type "bind": bind source path does not exist: /home/elog/elk-tls-docker/secrets/ca/ca.crt

ERROR: for elasticsearch Cannot create container for service elasticsearch: invalid mount config for type "bind": bind source path does not exist: /home/elog/elk-tls-docker/secrets/ca/ca.crt

Hi,

I'm getting the following error when running the step, docker-compose -f docker-compose.setup.yml run --rm certs
"E: Unable to locate package openssl"

if I comment out the "apt-get install unzip openssl -y" in setp/setup.sh, I get "/usr/share/elasticsearch/config/setup.sh: line 127: openssl: command not found"

what am I missing?

thanks

First of all thank you very much for your work, this helped a lot to get a start on using Elastic.

I´ve ran into a problem, it seems that when using the Lets Encrypt option to generate the scripts, the system sets the certificate for https right, but the certificate for kibana when using Elastic Agent is another one, pointing only to localhost, kibana and 0.0.0.0.

I would like to be able to use the same certificate file that works from Lets Encrypt instead of this localone from kibana.

Thank you very much for your attention,

Elasticsearch container:
Invalid maximum heap size: -Xmx"2g"
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.

Logstash Container:
Using bundled JDK: /usr/share/logstash/jdk
OpenJDK 64-Bit Server VM warning: Option UseConcMarkSweepGC was deprecated in version 9.0 and will likely be removed in a future release.
Invalid maximum heap size: -Xmx"1g"
Error: Could not create the Java Virtual Machine.
Error: A fatal exception has occurred. Program will exit.

I had run the following command before starting up container:
sudo sysctl -w vm.max_map_count=562144

# Configuration Variables
ELASTICSEARCH_HEAP="2g"
LOGSTASH_HEAP="1g"
PACKETBEAT_HEAP="256m"
FILEBEAT_HEAP="256m"
METRICBEAT_HEAP="256m"

Hi guys, thanks for the job do it here.

I have a problem:

When i change the ELASTIC_PASSWORD variable, some services stop responding, for example everything starts fine, but logstash cannot connect to ES:

[2021-06-09T23:30:09,929][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@elasticsearch:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://elasticsearch:9200/'"}
[2021-06-09T23:30:15,043][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@elasticsearch:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://elasticsearch:9200/'"}
[2021-06-09T23:30:20,167][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@elasticsearch:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'https://elasticsearch:9200/'"}

Password haven't weird chars, lets say that the value, now is:

myPassword_HaveMoreThan20Chars.

Then,

1. docker-compose -f docker-compose.setup.yml run --rm certs
2. docker-compose up -d
3. Wait less than 5 minutes, access and voilà
4. docker logs -f logstash

Any ideas?

Kind regards!

Hi, i was trying this out for the newest version, but the agent is not working anymore, it could be the change that you need to deploy a fleet server before enrolling new agent. Could you try to fix this problem?

Wonder how to secure connect heartbeat to elasticsearch directly.

Hi, i was wondring how you should upgrade the elasticsearch container? It writes persistence data to the data volume, and this includes the ealsticsearch binaries. So even if you pull a newer image its still starting the old version.

elastic-agent | /usr/local/lib/python3.8/dist-packages/urllib3/connectionpool.py:1013: InsecureRequestWarning: Unverified HTTPS request is being made to host 'kibana'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
elastic-agent | warnings.warn(
elastic-agent | Traceback (most recent call last):
elastic-agent | File "/install.py", line 19, in
elastic-agent | agent.install(version=os.environ.get('ELK_VERSION'), preflight_check=preflight)
elastic-agent | File "/usr/local/lib/python3.8/dist-packages/elastic_agent_setup/elastic_agent.py", line 46, in install
elastic-agent | return self.__platform_run('install')
elastic-agent | File "/usr/local/lib/python3.8/dist-packages/elastic_agent_setup/elastic_agent.py", line 31, in __platform_run
elastic-agent | return Linux().run(subcommand=subcommand)
elastic-agent | File "/usr/local/lib/python3.8/dist-packages/elastic_agent_setup/platform/platform.py", line 39, in run
elastic-agent | return subprocess.run(command, shell=True, check=True, capture_output=True)
elastic-agent | File "/usr/lib/python3.8/subprocess.py", line 516, in run
elastic-agent | raise CalledProcessError(retcode, process.args,
elastic-agent | subprocess.CalledProcessError: Command 'cd /elastic-agent-7.15.0-linux-x86_64 && ./elastic-agent install --force --kibana-url="https://kibana:5601" --enrollment-token="cXNjLV8zd0JBeUdtcFJPMmlqWHQ6SGFrVXd6VVlSaENsTldlNTBxOUJsQQ==" --certificate-authorities="/ca.crt" ' returned non-zero exit status 1.