...
Run FileBeat on K8s (TLS enabled)
As seen in the parent paragraph, now we have to take care of sending the logs from the K8s cluster to ESK. The procedure is similar to the one already seen, with some small differences. After downloading the filebeat-kubernetes.yaml, make the following changes
| Code Block |
|---|
| language | yml |
|---|
| title | filebeat-kubernetes.yaml |
|---|
| collapse | true |
|---|
|
output.elasticsearch:
hosts: ['${ELASTICSEARCH_HOST:elasticsearch}:${ELASTICSEARCH_PORT:9200}']
protocol: https # <--- Pay attention !!!
username: ${ELASTICSEARCH_USERNAME}
password: ${ELASTICSEARCH_PASSWORD}
ssl:
certificate_authorities: |
-----BEGIN CERTIFICATE-----
MIIDSTCCAjGgAwIBAgIUDVhtJ8gwO3EZJpY3/OOpv0FwAu0wDQYJKoZIhvcNAQEL
.
.
a7fWt1++yAAS3OHknl7MV8XlnO/S4a3nJz4AH/o=
-----END CERTIFICATE-----
certificate: |
-----BEGIN CERTIFICATE-----
MIIDQDCCAiigAwIBAgIUTy7I4LGEsEhuY69EqGN61v6cBqEwDQYJKoZIhvcNAQEL
.
.
apL+xAsTg06BunbXKYBVZnxIxTA=
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtPRUO3tAvzWnyZR81qLMbHiWIOnv4lf4fEhSL0L/Oa1XvB+O
.
.
sMpqfmyHtjnNe9VV4u52NrKIDfcpHigXSAGAf2w/LYm/oPsksRCD
-----END RSA PRIVATE KEY-----
env:
- name: ELASTICSEARCH_HOST
value: <IP> # <--- Enter the Floating/Internal IP of the host with elasticsearch
- name: ELASTICSEARCH_PORT
value: "9200"
- name: ELASTICSEARCH_USERNAME
value: elastic
- name: ELASTICSEARCH_PASSWORD
value: <elastic_user_Password> |
The certificates are located inside the es01 container, in the path indicated in the .env file
| Code Block |
|---|
| language | bash |
|---|
| title | Retrieve the certificates |
|---|
| collapse | true |
|---|
|
# To enter the container
$ docker exec -it es01 /bin/bash
# Path of the certificates inside the container
root@0d928f8ebff2:/usr/share/elasticsearch/config/certificates# ls
bundle.zip ca es01 kib01 |