Hello There,
I am trying to integrate the ELK stack into Icinga2. I have Icingaweb configured and I have enable the elasticsearch module. Later on I have added an instance using icingaweb and created and eventype.
When I am trying to execute the following command to check instance details, getting an error message UNKNOWN- instance not found.
icingacli elasticsearch --instance
Can anybody provide me suggestion on how to connect to ELK instance?
Regards,
Sabil.
Hi and welcome,
it’s long time ago when I tried this module. Maybe I remember some points which could help. But for this there would be interesting how you configured it:
Hello @stevie-sy,
Thank you for your reply.
I am using Ubuntu 20.4.
I have used the same github repo which you have give to configure elasticsearch module with Icinga.
I don’t see any errors related to elasticsearch in icinga logs.
Authentication I am using elastic user and password to authenticate on ELK.
When I try to the following command I can see the below error.
# icingacli elasticsearch check --instance default
UNKNOWN - Instance not found
#
Kindly suggest.
Thanks and regards,
Did you check the ELK log as well? If you can connect, I’m sure that there will be an entry for login failsure or something else.
You can also try a request with curl with verbose mode to see if your server can connect to ELK
Thank you Stevie for your support and information.
Hi @twidhalm,
I need your suggestion/assistance here to send the logstash logs to Icinga for monitoring purpose.
Let me explain you my environment and scenario.
I have ELK stack running on one server and have Filebaat is running other 3 servers. I am able to gather the logs on Kibana Dashboard using filebeat. Everything working fine so far.
Now I have send the logstash logs which I am getting through the filebeat. I have to configure the Iciniga2 on my ELK Stack.
I have installed and configure the Icinga2 and icingaweb on server where ELK stack is running.
Now I following the following link to use elasticsearch module to send the logstash data to Icinga.
icingaweb2-module-elasticsearch/doc at master · Icinga/icingaweb2-module-elasticsearch (github.com)
What I did is I have enable the elasticsearch module on server and then from Icingaweb GUI I have configure the elasticsearch where I have created and instance and eventtype.
I have given the hostip:9200 as URI while creating and instance and elastic user and password which I use to loging to kibana dashboard. In Eventtype I have given index details and IP address of host where ELK stack running and field I have used @timestamp just for testing purpose.
When I checked in icinga I am unable to find anything related to Elasticsearch.
I can see the elasticsearch module is enable and when I try to run the following command I am getting an error instance not found
icingacli elasticsearch --instance elasticsearch check.
Can you please assist me here ? what is missing here or do I need to make any other configuration to work icinga and ELK integration.
Thank you so much in advance!
Hi,
Thanks @stevie-sy for stepping in. That’s what I would have asked so far, too. 
Hm… @sabil05 could you post the contents of /etc/icingaweb2/modules/elasticsearch/instances.ini? Please make very sure to remove any password and maybe even the hostname of your Elasticsearch instance?
Your command didn’t work for me, too because I named my instance Elasticsearch (it’s case sensitive…)
Hi @twidhalm
Thank you for your reply.
Here is my instace.ini and current configuration.
[elasticsearch]
uri = "http://IPaddresofelkstack:9200"
user = "elastic"
password = "**********"
ca = ""
client_certificate = ""
client_private_key = ""
I will remove the user id and password. My instance name is “elasticsearch” with small letter e.
[elasticsearch]
uri = "http://IPaddresofelkstack:9200"
user = ""
password = ""
ca = ""
client_certificate = ""
client_private_key = ""
Please have a look and let me know any changes are required.
Thanks.
Sabil
Here is a eventtype.ini
[elasticsearch]
instance = "elasticsearch"
index = "filebeat-*"
filter = "*"
fields = "@timestamp"
URI field is mandatory which creating an instance in icinga and I have updated my elasticsearch IP address with 9200 port. Elasticsearch is running as a container only host machine.
I tried removing the credentials from Instance.ini and was getting authorization error.
Now I have again update the credentials and now I am getting following error.
icingacli elasticsearch check --instance Elasticsearch --crit 5 --warn 3 --index filebeat-* --filter "beat.hostname=hostname AND severity=critical" --from -1h
UNKNOWN - count(): Parameter must be an array or an object that implements Countable
Now not getting instance not found error.
Note I have renamed instance from elasticsearch to Elasticsearch.
Hello @twidhalm,
I am able to fixed the count () related issue while executing incingacli command now I am able to executed it successfully.
Now when I run that command I get an output OK - 0 hits.
I have mentioned all the event details such as, instance name, index, filter and fields.
Can you please suggest how to pull the data from ELK to Icingaweb2 now?
Regards,
Sabil.