Logstash is not able to input data to elasticsearch

36 views
Skip to first unread message

Asha_newbie

unread,
Apr 10, 2018, 9:39:27 PM4/10/18
to Search Guard Community Forum


Generated secured certificates and have copied locally to each service. I am new to ELK and Searchguard. Please help me with a logstash configuration file.  


Error: Logstash is not able to connect to ES, Getting timeout error messages in logs.


**************************** Elasticsearch.yml ********** searchguard configuration *****************


searchguard.ssl.transport.pemcert_filepath: /path/to/fullchain

searchguard.ssl.transport.pemkey_filepath: /path/to/privkey

searchguard.ssl.transport.pemtrustedcas_filepath: /path/to/chain

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /path/to/fullchain

searchguard.ssl.http.pemkey_filepath: path/to/privkey

searchguard.ssl.http.pemtrustedcas_filepath: /path/to/chain

searchguard.authcz.admin_dn:

 - "CN=dashboard.companyname,O=Let's Encrypt, C=US"

searchguard.restapi.roles_enabled: ["sg_all_access"]

searchguard.enterprise_modules_enabled: false




**************************** Kibana.yml ********** searchguard configuration *****************



elasticsearch.url: "https://localhost:9200"

server.ssl.enabled: true

server.ssl.certificate: /path/to/fullchain

server.ssl.key: /path/to/privatekey




*** *************** logstash.conf ********** Elasticsearch Output config ***********


output{

elasticsearch {

     "ssl" => true

     "ssl_certificate_verification" => true

     "hosts" => ["localhost:9200"]

     "sniffing" => false

     "cacert" => “path/to/chain.pem”

     "user" => logstash_user

     "password" => password

     "index" => "logstash-index1”

   }

 stdout { codec => json }

}








Jochen Kressin

unread,
Apr 11, 2018, 3:41:10 PM4/11/18
to Search Guard Community Forum
If you set ssl_certificate_verification to true in your logstash configuration, then the hostname in the certificate will be validated. If it does not match the real hostname, you will get an error. You use localhost everywhere in the configs, and there's some Let's Encrypt stuff in there as well, so I guess this is the first problem. Try to disable verification in logstash, as you already did in elasticsearch.yml

SG

unread,
Apr 19, 2018, 2:31:24 PM4/19/18
to search...@googlegroups.com
Logstash requires you to set the trusted root CAs via the truststore or cacert parameter in the configuration. This is the absolute path to either the truststore or the root CA in PEM format that contains the Certificate Authority’s certificate.
If you want logstash to verify the hostname of the certificate it receives from Elasticsearch, set the ssl_certificate_verification property to true.

see https://docs.search-guard.com/latest/logstash.html
> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3facfb91-0c1a-4d8c-87e8-697885e112d6%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

Reply all
Reply to author
Forward
0 new messages