Failed to connect to backoff(elasticsearch(http://elasticsearch:9200))

[hema8184]

While I am deploying Cloudbeat through https://github.com/elastic/cloudbeat/blob/main/dev-docs/Cloudbeat-Deployment.md#amazon-elastic-kubernetes-service-eks

and in kustomizeEksOverlay := "deploy/kustomize/overlays/cloudbeat-eks" folder I have edited my kibana host, elasticsearch hosts, password, username

as like

setup.kibana:
host: "http://:5601"
output.elasticsearch:
hosts: [':9200']
username:
password:

but later I am running just deploy-eks-cloudbeat

serviceaccount "cloudbeat" deleted
role.rbac.authorization.k8s.io "cloudbeat-kubeadm-config" deleted
role.rbac.authorization.k8s.io "cloudbeat-role" deleted
Warning: deleting cluster-scoped resources, not scoped to the provided namespace
clusterrole.rbac.authorization.k8s.io "cloudbeat" deleted
rolebinding.rbac.authorization.k8s.io "cloudbeat-kubeadm-config" deleted
serviceaccount/cloudbeat created
rolebinding.rbac.authorization.k8s.io "cloudbeat-role-binding" deleted
clusterrolebinding.rbac.authorization.k8s.io "cloudbeat" deleted
configmap "cloudbeat-daemonset-config" deleted
role.rbac.authorization.k8s.io/cloudbeat-kubeadm-config created
secret "aws-creds-secret" deleted
daemonset.apps "cloudbeat" deleted
role.rbac.authorization.k8s.io/cloudbeat-role created
clusterrole.rbac.authorization.k8s.io/cloudbeat created
rolebinding.rbac.authorization.k8s.io/cloudbeat-kubeadm-config created
rolebinding.rbac.authorization.k8s.io/cloudbeat-role-binding created
clusterrolebinding.rbac.authorization.k8s.io/cloudbeat created
configmap/cloudbeat-daemonset-config created
secret/aws-creds-secret created
daemonset.apps/cloudbeat created

These are getting created successfully, but even in my pod logs I am getting as Failed to connect to backoff(elasticsearch(http://elasticsearch:9200)) error.

Here can find the full log file,

logs-from-cloudbeat-in-cloudbeat-pcbbb.log

[hema8184]

Hey @moukoublen @gose @jbcrail @dmathieu @smith Please help us.

[moukoublen]

Hello @hema8184, please avoid directly tagging people (especially those not in the Cloudbeat team).

The just command you refer to is intended for development purposes like loading a custom modified cloudbeat binary to eks and run the KSPM flavor.

Is that your case? What is your use case in general?

For example, If you want to install Cloudbeat on EKS to run KSPM (given that you already have an ELK installation and that the eks cluster has network access to it), you will have to follow the KPSM integration installation guide here.

Thanks

[sirishas23]

Hai @moukoublen , I am also from the same team of @hema8184

Yes we have configured the Networking configurations correctly, My "EKS Cluster" and "Kibana, elasticsearch" are in the different vpc's with vpc peering connection enabled.

Actually it is taking elasticsearch host as "Failed to connect to backoff(elasticsearch(http://elasticsearch:9200))" but I have modified the file deploy/kustomize/overlays/cloudbeat-eks/cloudbeat.yml file to enter my kibana host and elasticsearch host, usernames and passwords. But even it is taking host as http://elasticsearch:9200, I think it is mentioned somewhere else as http://elasticsearch:9200 there i need to edit my host names.

[Shankar-Mendyala]

+1

[moukoublen]

Hello @sirishas23,

The just deploy-eks-cloudbeat was intended only for development purposes and is not actively maintained. It also uses an old elastic-agent (cloudbeat) image by default unless you overwrite that.

If you want to install cloudbeat into eks k8s cluster I think the best way to do that is by following the KPSM integration installation guide here.

If I may, what is your use case? If we know that, we might be able to provide better direction.

(Also if there is no objection I will mark this as duplicate and close it)

[Shankar-Mendyala]

Hello @moukoublen,
In my case, I need to install cloud beat for a project purpose in my AWS EKS and along with ELK Stack are maintained by us. What is the best way to include my existing elastic search credentials. Our final output should be when we have installed cloud beat into EKS it need connect with our ELK stack to transfer security findings to the Elasticsearch.

[moukoublen]

Hello @Shankar-Mendyala, have you tried to install the KSPM through kibana's install integration flow? (requires a fleet manager).

If yes, was there any issue with that flow?

If you try to install a standalone cloudbeat binary (not the whole elastic-agent package), you will need to do some manual work. I think there is no a quick / one-command solution for that.

You will have to use a docker image with a standalone cloudbeat binary (or elastic-agent image but use the cloudbeat binary directly) and provide a custom cloudbeat.yml config file.

Perhaps you can find an example in our kspm ci workflow, but you will have to remove the test cases and elasticsearch elements from the chart, so there is some manual work involved.