- Newest
- Most votes
- Most comments
Yes, it's possible but you have to use the OSS version of filebeat/metricbeat/x-beat
https://www.elastic.co/downloads/beats/filebeat-oss
https://www.elastic.co/downloads/beats/metricbeat-oss
The non OSS version for x-beat will check for x-pack (so it checks if the ES cluster is from Elastic, which in the case of Amazon ES is not). Other than that, it seems that we may have authorization issue in the dashboard import.
If FGAC (https://docs.aws.amazon.com/elasticsearch-service/latest/developerguide/fgac.html) is on (with internal CS users), the import fails with the following error:
error loading /Users/xxx/filebeat-7.8.0-darwin-x86_64/kibana/7/dashboard/osquery-rootkit.json: returned 401 to import file: <nil>. Response: {"message":"Session expired","redirectTo":"login"}
If FGAC is turned off, the import seems to work. If you want to keep FGAC and import the dashboard, you can setup a IAM user beside the internal primary user (you can just create the cluster with a IAM primary user and then switch to internal primary, using "modify authentication"). If you then setup AWS ES Kibana Proxy https://www.npmjs.com/package/aws-es-kibana, you will be able to import the dashboard using the IAM users key via the proxy.
It's still unclear why the basic authentication is not working, while it should.
Relevant content
- Accepted Answerasked 4 years ago
- Accepted Answerasked 10 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago