Logstash communication failed with Elasticsearch search guard

[Florent LEPOUTRE]

Hi,
I have installed search guard plugin on my ELK platform : search guard is OK with Elasticsearch and Kibana.
But with logstash it doesn't work.

Here is my logstash log :
<code>
{:timestamp=>"2018-02-05T17:41:16.701000+0100", :message=>"Attempted to send a bulk request to Elasticsearch configured at '[\"http://localhost:9200\"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection reset", :class=>"Manticore::SocketException", :level=>:error}
</code>

Here is my Elasticsearch log :
<code>
[2018-02-06T17:38:10,518][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [somweb-px01-elk-es-log-01] Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel
</code>

Here is my logstash output conf :
<code>
if [type] == "apache" {
 
     elasticsearch {
        ssl => true
        ssl_certificate_verification => false
        truststore => "/etc/elasticsearch/es-log-01/truststore.jks"
        truststore_password => XXXXX
        user => logstash
        password => XXXXXXX
        hosts => "https://localhost:9200"

</code>

Do you have any idea ?

Thanks,

[SG]

> Am 06.02.2018 um 17:54 schrieb Florent LEPOUTRE <florent....@gmail.com>:
>
> Hi,
> I have installed search guard plugin on my ELK platform : search guard is OK with Elasticsearch and Kibana.
> But with logstash it doesn't work.
>
> Here is my logstash log :
> <code>
> {:timestamp=>"2018-02-05T17:41:16.701000+0100", :message=>"Attempted to send a bulk request to Elasticsearch configured at '[\"http://localhost:9200\"]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection reset",

In the above line logstash seem to try to connect to http://localhost:9200 instead of https://localhost:9200
That is also why you get the "Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel" warning

> :class=>"Manticore::SocketException", :level=>:error}
> </code>
>
> Here is my Elasticsearch log :
> <code>
> [2018-02-06T17:38:10,518][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [somweb-px01-elk-es-log-01] Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel
> </code>
>
> Here is my logstash output conf :
> <code>
> if [type] == "apache" {
>
> elasticsearch {
> ssl => true
> ssl_certificate_verification => false
> truststore => "/etc/elasticsearch/es-log-01/truststore.jks"
> truststore_password => XXXXX
> user => logstash
> password => XXXXXXX
> hosts => "https://localhost:9200"
>
> </code>
>
> Do you have any idea ?
>
> Thanks,
>

> --
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/46a8d1cf-f3ff-4622-9af6-03e233df8e75%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Florent LEPOUTRE]

Hi,
Thanks for your response.

I noticed that too but my Logstash output is well configure in SSL, it's very strange.

Regards,