Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Metricbeat can't automatically connect #248

Open
widhalmt opened this issue Aug 24, 2023 · 3 comments · May be fixed by #274
Open

Metricbeat can't automatically connect #248

widhalmt opened this issue Aug 24, 2023 · 3 comments · May be fixed by #274
Assignees
@widhalmt
Labels
bug Something isn't working
Milestone
1.0.0

Comments

@widhalmt
Copy link
Member

When running the collection with defaults (only activating Metricbeat) it fails, because the variable elasticsearch_http_security isn't set for Metricbeat hosts. This looks like it's some legacy code from before we built the collection. It's possible that Auditbeat suffers the same problem.

I'll investigate and I hope I can provide a solution.
@widhalmt widhalmt added the bug Something isn't working label Aug 24, 2023
@widhalmt widhalmt added this to the 1.0.0 milestone Aug 24, 2023
@widhalmt widhalmt self-assigned this Sep 12, 2023
@widhalmt
Copy link
Member Author

There is a deeper lying confusion about when to enable TLS in connections to Elasticsearch. If you browse all roles in the collection you will different conditions that will enable TLS for the connection to Elasticsearch. Most only allow TLS when the full stack variable is set.

I think we should allow to have TLS with or without the full stack variable being set (e.g. using managed Elasticsearch). So my idea is to have a local variable in each role to en- or disable TLS. It should default to true/enabled and be set automatically to true when the full stack is used.

widhalmt added a commit that referenced this issue Sep 12, 2023
@widhalmt
Use common variable for TLS
357865e 
fixes #248

This is something between a workaround and a partial solution. While it
makes more sense to use a role related variable for both Logstash and
Elasticsearch output (other than before) it's still not the goal we
want.

So overhauling the whole process of determining whether we need TLS or
not is due. I'll start a discussion and we need to adjust all roles to
the solution we find. Now there are similarities but it's not exactly
the same in every role.
@widhalmt widhalmt linked a pull request Sep 12, 2023 that will close this issue
Open
@widhalmt
Copy link
Member Author

widhalmt commented Dec 1, 2023

I guess, I found the culprit: https://github.com/NETWAYS/ansible-collection-elasticstack/blob/main/roles/beats/templates/metricbeat.yml.j2#L18

Here we use a variable for a password that's not set anywhere. We're using the hardcoded user elastic which is bad, security-wise (looks like something that's leftover from a testing environment) with a password that looks like it's somehow generated or read but this happens nowhere.

I hoped for a module for user management before we need to create more users the way we did with Logstash. But it looks, like we need to copy the code from logstash-security.yml and adapt it for Beats. So we can create our own beats user as a makeshift solution. Don't put too much effort into it - we'll replace it with a module anyway.

@widhalmt
Copy link
Member Author

widhalmt commented Dec 1, 2023

Part of the solution should also be to make sure, metricbeat setup is only run on a single host and only one that has access to Elasticsearch and Kibana

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@widhalmt widhalmt

Labels
bug Something isn't working
Projects
None yet
Milestone
1.0.0
Development

Successfully merging a pull request may close this issue.

Use common variable for TLS NETWAYS/ansible-collection-elasticstack
1 participant
@widhalmt