Can't connect Metricbeat to opensearch

Hi,

I have a docker compose file where I start the whole stack including Metricbeat and Filebeat.
I have the same configuration on both beat containers but Metricbeat says ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(elasticsearch(http://opensearch:9200)): 401 Unauthorized: Unauthorized.

Filebeat on the other hand is able to connect to opensearch.
What am I missing?

metricbeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

logging.level: debug
setup.ilm.enabled: false

setup.kibana:
    host: "dashboards:5601"
    username: admin
    password: admin
    headers:
      securitytenant: global

processors:
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

# enabled modules for monitoring (e.g. elasticsearch-xpack)
metricbeat.modules:
- module: elasticsearch
  xpack.enabled: true
  period: 10s
  hosts: ["http://opensearch:9200"]

output.elasticsearch:
  hosts: ["opensearch:9200"]
  username: 'admin'
  password: 'admin'
filebeat.config:
  modules:
    path: ${path.config}/modules.d/*.yml
    reload.enabled: false

logging.level: info

setup.ilm.enabled: false

setup.kibana:
    host: "dashboards:5601"
    username: admin
    password: admin
    headers:
      securitytenant: global

filebeat.inputs:
- type: udp
  enabled: true
  host: ":55014"    
    
processors:
  - dissect:
      tokenizer: "%{apptimestamp} %{host.machine} %{process.name}[%{process.pid|long}]: [%{log.level}] [%{log.logger}] %{log.message}"
      field: "message"
      target_prefix: ""
      trim_chars: "\n"
      overwrite_keys: true
  - timestamp:
      field: apptimestamp
      layouts:
        - '2006-01-02T15:04:05.999-07:00'
      test:
        - '2021-07-14T14:03:36.185188+02:00'
  
output.elasticsearch:
  hosts: ["opensearch:9200"]
  username: "admin"
  password: "admin"

docker compose:

  filebeat:
    restart: "always"
    depends_on: 
      - opensearch
    image: docker.elastic.co/beats/filebeat-oss:7.12.1
    command: filebeat -e -strict.perms=false
    container_name: filebeat
    volumes:
      - ./filebeat.yml:/usr/share/filebeat/filebeat.yml:ro
    networks: 
      - opensearch-net
    ports:
      - "6513:6513/tcp"  
      - "55014:55014/udp" 

  metricbeat:
    restart: "always"
    image: docker.elastic.co/beats/metricbeat-oss:7.12.1
    command: metricbeat -e -strict.perms=false
    environment:
      ELASTICSEARCH_HOSTS: http://opensearch:9200
    volumes:
      - ./metricbeat.yml:/usr/share/metricbeat/data/metricbeat.yml
    networks:
      - opensearch-net
    depends_on:
      - opensearch

I think this OpenSearch is expecting an SSL (https) connection and that’s why you’re getting a 401

Isn‘t it strange that filebeat works and metricbeat not?
Because I deactivated SSL on opensearch.
Or is Metricbeat talking somehow differently to opensearch than filebeat does?

@smudi No - they should be the same. I’m 99% sure something is awry in the configuration. Are they identical?

Long time no see …
But to clear this up:
I had to configure metricbeat and filebeat differently.

In metricbeat I had to configure environment inside the compose file:

    environment:
      - ELASTICSEARCH_HOSTS=opensearch:9200
      - KIBANA_HOST=dashboards:5601
      - ELASTICSEARCH_USERNAME=admin
      - ELASTICSEARCH_PASSWORD=admin

And in filebeat I can write in config file:

output.elasticsearch:
  hosts: ["opensearch:9200"]
  username: admin
  password: admin
1 Like

Awesome. That seems straight forward!