Elasticsearch_exporter (es_exporter) authentication steps are not working.

[shubhammugale]

We are trying to apply authentication on es_exporter, but we are unable to do so on the Ubuntu 22.04 machine. The document we found is attached here. Please let us know the configuration steps if it is possible to apply authentication for the es_exporter

#438

[shubhammugale]

We are trying to apply authentication on es_exporter, but we are unable to do so on the Ubuntu 22.04 machine. The document we found is attached here. Please let us know the configuration steps if it is possible to apply authentication for the es_exporter

#438

Is there any update on this..............!

[sysadmind]

Are you talking about the username/password to access elasticsearch or are you talking about protecting the /metrics endpoint of this exporter with authentication?

If you're asking about elasticsearch authentication, you can put the username and password in the elasticsearch URL or provide the environment variables instead.

If you're asking about protecting the /metrics endpoint, you can use the --web.config.file to specify basic auth credentials. See this documentation for more details.

[shubhammugale]

Hi @sysadmind,
As per your last solution, we have implemented the same, but it is not working. Upon further investigation, we found that the --web.config.file module does not exist, and we are encountering the following error:
unknown long flag '--web.config'

Currently, we are using Elasticsearch version 7.17.0 and es_exporter version 1.3.0 (branch: HEAD). Additionally, we verified the available options using the --help command, and the following options are displayed:

Flags:
-h, --help Show context-sensitive help (also try --help-long and --help-man).
--web.listen-address=":9114"
Address to listen on for web interface and telemetry.
--web.telemetry-path="/metrics"
Path under which to expose metrics.
--es.uri="http://localhost:9200"
HTTP API address of an Elasticsearch node.
--es.timeout=5s Timeout for trying to get stats from Elasticsearch.
--es.all Export stats for all nodes in the cluster. If used, this flag will override the flag es.node.
--es.node="_local" Node's name of which metrics should be exposed.
--es.indices Export stats for indices in the cluster.
--es.indices_settings Export stats for settings of all indices of the cluster.
--es.indices_mappings Export stats for mappings of all indices of the cluster.
--es.cluster_settings Export stats for cluster settings.
--es.shards Export stats for shards in the cluster (implies --es.indices).
--es.snapshots Export stats for the cluster snapshots.
--es.clusterinfo.interval=5m
Cluster info update interval for the cluster label
--es.ca="" Path to PEM file that contains trusted Certificate Authorities for the Elasticsearch connection.
--es.client-private-key=""
Path to PEM file that contains the private key for client auth when connecting to Elasticsearch.
--es.client-cert="" Path to PEM file that contains the corresponding cert for the private key to connect to Elasticsearch.
--es.ssl-skip-verify Skip SSL verification when connecting to Elasticsearch.
--es.apiKey="" API Key to use for authenticating against Elasticsearch
--log.level="info" Sets the loglevel. Valid levels are debug, info, warn, error
--log.format="logfmt" Sets the log format. Valid formats are json and logfmt
--log.output="stdout" Sets the log output. Valid outputs are stdout and stderr
--version Show application version.

Can you please help us further

[sysadmind]

The current release of elasticsearch_exporter is 1.8.0. I believe you need to update to a more recent version to get the --web.config options.

[shubhammugale]

@sysadmind We have installed 1.8.0 version of es_exporter and got the --web.config option on that but somehow we are not able to start the service. we are getting the below error

es_exporter[22052]: level=info ts=2024-11-29T17:43:57.634633849Z caller=clusterinfo.go:214 msg="triggering initial cluster info call"
es_exporter[22052]: level=info ts=2024-11-29T17:43:57.635200833Z caller=clusterinfo.go:183 msg="providing consumers with updated cluster info label"
es_exporter[22052]: level=error ts=2024-11-29T17:43:57.670280814Z caller=clusterinfo.go:188 msg="failed to retrieve cluster info from ES" err="HTTP Request failed with code 401"
es_exporter[22052]: level=info ts=2024-11-29T17:44:07.659997776Z caller=main.go:249 msg="initial cluster info call timed out"
es_exporter[22052]: level=info ts=2024-11-29T17:44:07.660703096Z caller=tls_config.go:313 msg="Listening on" address=[::]:9114
es_exporter[22052]: level=error ts=2024-11-29T17:44:07.661086075Z caller=main.go:287 msg="http server quit" err="unknown cipher: TLS_RSA_WITH_AES_256_GCM_SHA384"

[sysadmind]

I see two things here:

1. The authentication to elasticsearch failed. Could this be due to 1.4.0 removing support for some of the environment variables? I'm not sure how you are specifying credentials for elasticsearch.
2. The http server is exiting with the error unknown cipher. I don't know what causes this. Are you using client certificates? I'm wondering if there is some incompatibility in a certificate.