Metric beats Error logs when following guide 1.3.0 (cannot connect to kibana)

[joelharkes]

Bug Report

What did you do? Follow the guide https://www.elastic.co/guide/en/cloud-on-k8s/current/index.html on my minikube locally.

Installed:

• elastic search: quickstart
• kibana: quickstart
• file beat.
• Now tried setting up metricsbeat. (according to the example): https://www.elastic.co/guide/en/cloud-on-k8s/current/k8s-beat-configuration-examples.html

What did you expect to see?

Metrics in kibana coming in (but instead im only getting container logs from file beat)

What did you see instead? Under which circumstances?

The file beat works (running pod) but im not getting any metrics in Kibana.

In the logging i see:

2020-11-27T10:07:38.176Z        ERROR   instance/metrics.go:285 error getting group status: open /proc/450037/cgroup: no such file or directory
....
2020-11-27T10:07:38.176Z        INFO    instance/beat.go:452    metricbeat stopped.
2020-11-27T10:07:38.176Z        ERROR   instance/beat.go:956    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://quickstart-kb-http.default.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [default-metricbeat-beat-kb-user] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" ch... (truncated).
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://quickstart-kb-http.default.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [default-metricbeat-beat-kb-user] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" ch... (truncated).

Environment

• ECK version:

  1.3.0

• Kubernetes information:

minikube version: v1.14.2 (on windows) commit: 2c82918e2347188e21c4e44c8056fc80408bce10

Client Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.3", GitCommit:"1e11e4a2108024935ecfcb2912226cedeafd99df", GitTreeState:"clean", BuildDate:"2020-10-14T12:50:19Z", GoVersion:"go1.15.2", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"19", GitVersion:"v1.19.2", GitCommit:"f5743093fd1c663cb0cbc89748f730662345d44d", GitTreeState:"clean", BuildDate:"2020-09-16T13:32:58Z", GoVersion:"go1.15", Compiler:"gc", Platform:"linux/amd64"}

• Resource definition:

apiVersion: beat.k8s.elastic.co/v1beta1
kind: Beat
metadata:
  name: quickstart
spec:
  type: metricbeat
  version: 7.10.0
  elasticsearchRef:
    name: quickstart
  kibanaRef:
    name: quickstart
  config:
    metricbeat:
      autodiscover:
        providers:
        - hints:
            default_config: {}
            enabled: "true"
          host: ${NODE_NAME}
          type: kubernetes
      modules:
      - module: system
        period: 10s
        metricsets:
        - cpu
        - load
        - memory
        - network
        - process
        - process_summary
        process:
          include_top_n:
            by_cpu: 5
            by_memory: 5
        processes:
        - .*
      - module: system
        period: 1m
        metricsets:
        - filesystem
        - fsstat
        processors:
        - drop_event:
            when:
              regexp:
                system:
                  filesystem:
                    mount_point: ^/(sys|cgroup|proc|dev|etc|host|lib)($|/)
      - module: kubernetes
        period: 10s
        host: ${NODE_NAME}
        hosts:
        - https://${NODE_NAME}:10250
        bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
        ssl:
          verification_mode: none
        metricsets:
        - node
        - system
        - pod
        - container
        - volume
    processors:
    - add_cloud_metadata: {}
    - add_host_metadata: {}
  daemonSet:
    podTemplate:
      spec:
        serviceAccountName: metricbeat
        automountServiceAccountToken: true # some older Beat versions are depending on this settings presence in k8s context
        containers:
        - args:
          - -e
          - -c
          - /etc/beat.yml
          - -system.hostfs=/hostfs
          name: metricbeat
          volumeMounts:
          - mountPath: /hostfs/sys/fs/cgroup
            name: cgroup
          - mountPath: /var/run/docker.sock
            name: dockersock
          - mountPath: /hostfs/proc
            name: proc
          env:
          - name: NODE_NAME
            valueFrom:
              fieldRef:
                fieldPath: spec.nodeName
        dnsPolicy: ClusterFirstWithHostNet
        hostNetwork: true # Allows to provide richer host metadata
        securityContext:
          runAsUser: 0
        terminationGracePeriodSeconds: 30
        volumes:
        - hostPath:
            path: /sys/fs/cgroup
          name: cgroup
        - hostPath:
            path: /var/run/docker.sock
          name: dockersock
        - hostPath:
            path: /proc
          name: proc
---
# permissions needed for metricbeat
# source: https://www.elastic.co/guide/en/beats/metricbeat/current/metricbeat-module-kubernetes.html
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: metricbeat
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  - events
  - pods
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - "extensions"
  resources:
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - statefulsets
  - deployments
  - replicasets
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - nodes/stats
  verbs:
  - get
- nonResourceURLs:
  - /metrics
  verbs:
  - get
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: metricbeat
  namespace: default
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: metricbeat
subjects:
- kind: ServiceAccount
  name: metricbeat
  namespace: default
roleRef:
  kind: ClusterRole
  name: metricbeat
  apiGroup: rbac.authorization.k8s.io

• Logs:

2020-11-27T10:07:38.176Z        ERROR   instance/metrics.go:285 error getting group status: open /proc/450037/cgroup: no such file or directory
....
2020-11-27T10:07:38.176Z        INFO    instance/beat.go:452    metricbeat stopped.
2020-11-27T10:07:38.176Z        ERROR   instance/beat.go:956    Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://quickstart-kb-http.default.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [default-metricbeat-beat-kb-user] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" ch... (truncated).
Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://quickstart-kb-http.default.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"[security_exception] unable to authenticate user [default-metricbeat-beat-kb-user] for REST request [/_security/_authenticate], with { header={ WWW-Authenticate={ 0=\"Basic realm=\\\"security\\\" ch... (truncated).

[Yantrio]

Im also hitting this with a similar setup (just changed the elasticsearchRef and bumped the version to 7.10.2

[barkbay]

Hi, could you check if there's any error in the operator logs (kubectl -n elastic-system logs -f statefulset.apps/elastic-operator if installed with the quickstart) ? It might be because the operator is not able to reconcile the association between Beat and Kibana.

[jaronoff97]

+1 Also seeing this issue in a production cluster. It started happening after the cluster had been running for about three weeks, so it's unclear what cause this to fail

[mossholderm]

+1 here as well. New cluster running on Fedora Server 33. By chance, are any of the others hitting this issue also on Red Hat derivatives?

[an-tex]

I had the same when anonymous user was enabled:

      config:
        xpack.security.authc:
          anonymous:
            roles: superuser
            authz_exception: false

switching back to proper user auth solved the issue

[MastanaGuru]

Running Operator 1.5 on openshift 4.6.16 stack version 7.12 I am running into the same issue

{"level":"info","timestamp":"2021-04-27T16:26:17.061Z","logger":"index-management","caller":"idxmgmt/std.go:184","message":"Set output.elasticsearch.index to 'metricbeat-7.12.0' as ILM is enabled."} {"level":"warn","timestamp":"2021-04-27T16:26:17.061Z","logger":"cfgwarn","caller":"tlscommon/config.go:101","message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0"} {"level":"info","timestamp":"2021-04-27T16:26:17.061Z","caller":"eslegclient/connection.go:99","message":"elasticsearch url: https://elasticsearch-es-http.elastic-elk.svc:9200"} {"level":"info","timestamp":"2021-04-27T16:26:17.062Z","logger":"publisher","caller":"pipeline/module.go:113","message":"Beat name: metricbeat-beat-metricbeat-7cf49478cf-s24mx"} {"level":"info","timestamp":"2021-04-27T16:26:17.132Z","logger":"monitoring","caller":"log/log.go:117","message":"Starting metrics logging every 30s"} {"level":"warn","timestamp":"2021-04-27T16:26:17.132Z","logger":"cfgwarn","caller":"tlscommon/config.go:101","message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0"} {"level":"info","timestamp":"2021-04-27T16:26:17.132Z","caller":"kibana/client.go:119","message":"Kibana url: https://kibana-kb-http.elastic-elk.svc:5601"} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:152","message":"Total non-zero metrics","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000},"quota":{"us":100000}},"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","stats":{"periods":3}},"cpuacct":{"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","total":{"ns":217798082}},"memory":{"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","mem":{"limit":{"bytes":1073741824},"usage":{"bytes":31682560}}}},"cpu":{"system":{"ticks":50,"time":{"ms":57}},"total":{"ticks":170,"time":{"ms":185},"value":0},"user":{"ticks":120,"time":{"ms":128}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":9},"info":{"ephemeral_id":"4cae33d5-afff-4f7c-b886-f0fc6a674c5a","uptime":{"ms":227}},"memstats":{"gc_next":16713344,"memory_alloc":14120648,"memory_sys":76104704,"memory_total":29426048,"rss":89141248... {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:153","message":"Uptime: 228.440641ms"} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:130","message":"Stopping metrics logging."} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","caller":"instance/beat.go:465","message":"metricbeat stopped."} {"level":"error","timestamp":"2021-04-27T16:26:17.207Z","caller":"instance/beat.go:971","message":"Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-kb-http.elastic-elk.svc:5601/api/status fails: <nil>. Response: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"security_exception\"}."} Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-kb-http.elastic-elk.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"security_exception"}.

[MastanaGuru]

Noticed Metribeat successfully connects Kibana but after 2-4 restarts of the pod.

Running Operator 1.5 on openshift 4.6.16 stack version 7.12 I am running into the same issue

{"level":"info","timestamp":"2021-04-27T16:26:17.061Z","logger":"index-management","caller":"idxmgmt/std.go:184","message":"Set output.elasticsearch.index to 'metricbeat-7.12.0' as ILM is enabled."} {"level":"warn","timestamp":"2021-04-27T16:26:17.061Z","logger":"cfgwarn","caller":"tlscommon/config.go:101","message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0"} {"level":"info","timestamp":"2021-04-27T16:26:17.061Z","caller":"eslegclient/connection.go:99","message":"elasticsearch url: https://elasticsearch-es-http.elastic-elk.svc:9200"} {"level":"info","timestamp":"2021-04-27T16:26:17.062Z","logger":"publisher","caller":"pipeline/module.go:113","message":"Beat name: metricbeat-beat-metricbeat-7cf49478cf-s24mx"} {"level":"info","timestamp":"2021-04-27T16:26:17.132Z","logger":"monitoring","caller":"log/log.go:117","message":"Starting metrics logging every 30s"} {"level":"warn","timestamp":"2021-04-27T16:26:17.132Z","logger":"cfgwarn","caller":"tlscommon/config.go:101","message":"DEPRECATED: Treating the CommonName field on X.509 certificates as a host name when no Subject Alternative Names are present is going to be removed. Please update your certificates if needed. Will be removed in version: 8.0.0"} {"level":"info","timestamp":"2021-04-27T16:26:17.132Z","caller":"kibana/client.go:119","message":"Kibana url: https://kibana-kb-http.elastic-elk.svc:5601"} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:152","message":"Total non-zero metrics","monitoring":{"metrics":{"beat":{"cgroup":{"cpu":{"cfs":{"period":{"us":100000},"quota":{"us":100000}},"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","stats":{"periods":3}},"cpuacct":{"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","total":{"ns":217798082}},"memory":{"id":"crio-bc41e2251403c8c00b3cc983003aea6696a362531cb2ad6bb7dea0f771f1be8d.scope","mem":{"limit":{"bytes":1073741824},"usage":{"bytes":31682560}}}},"cpu":{"system":{"ticks":50,"time":{"ms":57}},"total":{"ticks":170,"time":{"ms":185},"value":0},"user":{"ticks":120,"time":{"ms":128}}},"handles":{"limit":{"hard":1048576,"soft":1048576},"open":9},"info":{"ephemeral_id":"4cae33d5-afff-4f7c-b886-f0fc6a674c5a","uptime":{"ms":227}},"memstats":{"gc_next":16713344,"memory_alloc":14120648,"memory_sys":76104704,"memory_total":29426048,"rss":89141248... {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:153","message":"Uptime: 228.440641ms"} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","logger":"monitoring","caller":"log/log.go:130","message":"Stopping metrics logging."} {"level":"info","timestamp":"2021-04-27T16:26:17.207Z","caller":"instance/beat.go:465","message":"metricbeat stopped."} {"level":"error","timestamp":"2021-04-27T16:26:17.207Z","caller":"instance/beat.go:971","message":"Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-kb-http.elastic-elk.svc:5601/api/status fails: <nil>. Response: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"security_exception\"}."} Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-kb-http.elastic-elk.svc:5601/api/status fails: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"security_exception"}.

[csaroff]

I had the same when anonymous user was enabled:

  config:
    xpack.security.authc:
      anonymous:
        roles: superuser
        authz_exception: false

switching back to proper user auth solved the issue

Hitting the same issue. Did you happen to find a resolution to this that doesn't involve removing anonymous authentication?

[kaykhan]

Im also experiencing the same issue in 8.2.2

{"log.level":"error","@timestamp":"2022-06-08T10:52:31.480Z","log.origin":{"file.name":"instance/beat.go","file.line":1038},"message":"Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-prod-kb-http.elastic-system.svc:5601/api/status fails: [security_exception: [security_exception] Reason: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]: <nil>. Response: {\"statusCode\":401,\"error\":\"Unauthorized\",\"message\":\"[security_exception: [security_exception] Reason: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]]: unable to authenticate user [elas... (truncated).","service.name":"metricbeat","ecs.version":"1.6.0"}

Exiting: error connecting to Kibana: fail to get the Kibana version: HTTP GET request to https://kibana-prod-kb-http.elastic-system.svc:5601/api/status fails: [security_exception: [security_exception] Reason: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]]: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]: <nil>. Response: {"statusCode":401,"error":"Unauthorized","message":"[security_exception: [security_exception] Reason: unable to authenticate user [elastic-system-metricbeat-beat-kb-user] for REST request [/_security/_authenticate]]: unable to authenticate user [elas... (truncated).

[jpuskar]

8.6.1 also, same deal. eck v2.6.1