How to identify who speaks plain text

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

The warnings you are seeing stem from the REST layer, not the Transport (Java) layer.

Most likely you have either additional plugins installed, or use applications like Kibana or logstash which also use the REST Api. HTTPS on the REST layer is optional btw, but of course recommended.

You can set loglevels to debug or trace like this:

ES 2.x:

com.floragunn: DEBUG|TRACE

in conf/logging.yml

ES 5.x

logger.fg.name = com.floragunn

logger.fg.level = debug|trace

in conf/log4j.properties

···

Am Montag, 23. Januar 2017 10:27:51 UTC+1 schrieb Nicolas Condette:

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

Hello, thanks for your reply.

I found this directive: logger.com.floragunn.searchguard.ssl: DEBUG

Is it what you told us to do ?

···

2017-01-23 13:49 GMT+01:00 Jochen Kressin jkressin@floragunn.com:

The warnings you are seeing stem from the REST layer, not the Transport (Java) layer.

Most likely you have either additional plugins installed, or use applications like Kibana or logstash which also use the REST Api. HTTPS on the REST layer is optional btw, but of course recommended.

You can set loglevels to debug or trace like this:

ES 2.x:

com.floragunn: DEBUG|TRACE

in conf/logging.yml

ES 5.x

logger.fg.name = com.floragunn

logger.fg.level = debug|trace

in conf/log4j.properties

Am Montag, 23. Januar 2017 10:27:51 UTC+1 schrieb Nicolas Condette:

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/99fc1f82-a464-488c-820b-ed3257313051%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncondette@norauto.com

Hi,

not quite :wink: First, please check if you have any other systems / plugins / applications installed that make requests on the REST layer, means HTTP. Usually it’s something like Kibana, logstash, watcher etc. and quite easy to detect. If you’re not able to figure out which app / plugin causes the HTTP calls, you can enable the SG debug mode.

If you’re using ES2.x, add the following line to the file conf/logging.yml:

com.floragunn: DEBUG

If you’re using ES5.x, add the following two lines to the file conf/log4j.properties:

logger.fg.name = com.floragunn

logger.fg.level = debug

After that, restart the node(s) for the changes to take effect. You will see a lot of debug information in the logfile, and you should be able to determine where the calls come from by analyzing the logs.

···

Am Montag, 23. Januar 2017 16:09:34 UTC+1 schrieb Nicolas Condette:

Hello, thanks for your reply.

I found this directive: logger.com.floragunn.searchguard.ssl: DEBUG

Is it what you told us to do ?

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncon...@norauto.com

2017-01-23 13:49 GMT+01:00 Jochen Kressin jkre...@floragunn.com:

The warnings you are seeing stem from the REST layer, not the Transport (Java) layer.

Most likely you have either additional plugins installed, or use applications like Kibana or logstash which also use the REST Api. HTTPS on the REST layer is optional btw, but of course recommended.

You can set loglevels to debug or trace like this:

ES 2.x:

com.floragunn: DEBUG|TRACE

in conf/logging.yml

ES 5.x

logger.fg.name = com.floragunn

logger.fg.level = debug|trace

in conf/log4j.properties

Am Montag, 23. Januar 2017 10:27:51 UTC+1 schrieb Nicolas Condette:

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/99fc1f82-a464-488c-820b-ed3257313051%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

In effect we have plugins nammed HQ, Head, Kopf.

But Warnings appear very frequently, more often than a human can do.

···

2017-01-23 17:33 GMT+01:00 Jochen Kressin jkressin@floragunn.com:

Hi,

not quite :wink: First, please check if you have any other systems / plugins / applications installed that make requests on the REST layer, means HTTP. Usually it’s something like Kibana, logstash, watcher etc. and quite easy to detect. If you’re not able to figure out which app / plugin causes the HTTP calls, you can enable the SG debug mode.

If you’re using ES2.x, add the following line to the file conf/logging.yml:

com.floragunn: DEBUG

If you’re using ES5.x, add the following two lines to the file conf/log4j.properties:

logger.fg.name = com.floragunn

logger.fg.level = debug

After that, restart the node(s) for the changes to take effect. You will see a lot of debug information in the logfile, and you should be able to determine where the calls come from by analyzing the logs.

Am Montag, 23. Januar 2017 16:09:34 UTC+1 schrieb Nicolas Condette:

Hello, thanks for your reply.

I found this directive: logger.com.floragunn.searchguard.ssl: DEBUG

Is it what you told us to do ?

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncon...@norauto.com

2017-01-23 13:49 GMT+01:00 Jochen Kressin jkre...@floragunn.com:

The warnings you are seeing stem from the REST layer, not the Transport (Java) layer.

Most likely you have either additional plugins installed, or use applications like Kibana or logstash which also use the REST Api. HTTPS on the REST layer is optional btw, but of course recommended.

You can set loglevels to debug or trace like this:

ES 2.x:

com.floragunn: DEBUG|TRACE

in conf/logging.yml

ES 5.x

logger.fg.name = com.floragunn

logger.fg.level = debug|trace

in conf/log4j.properties

Am Montag, 23. Januar 2017 10:27:51 UTC+1 schrieb Nicolas Condette:

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/99fc1f82-a464-488c-820b-ed3257313051%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f7eebbf-0446-4c02-b57c-cb490ce77a27%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncondette@norauto.com

Hello,

our provider put this line ine the logging.yml (ES 2.3.4), but there is not further information in the log than we had before.

Below, is an excerpt:

[2017-01-24 11:23:34,502][WARN ][com.floragunn.searchguard.http.SearchGuardHttpServerTransport] [pp3sbodbrco01] Someone speaks plaintext instead of ssl, will close the channel

[2017-01-24 11:23:34,503][WARN ][com.floragunn.searchguard.http.SearchGuardHttpServerTransport] [pp3sbodbrco01] Someone speaks plaintext instead of ssl, will close the channel

[2017-01-24 11:23:34,509][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [pp3sbodbrco01] Someone speaks plaintext instead of ssl, will close the channel

[2017-01-24 11:23:34,510][WARN ][com.floragunn.searchguard.ssl.transport.SearchGuardSSLNettyTransport] [pp3sbodbrco01] Someone speaks plaintext instead of ssl, will close the channel

···

2017-01-23 17:33 GMT+01:00 Jochen Kressin jkressin@floragunn.com:

Hi,

not quite :wink: First, please check if you have any other systems / plugins / applications installed that make requests on the REST layer, means HTTP. Usually it’s something like Kibana, logstash, watcher etc. and quite easy to detect. If you’re not able to figure out which app / plugin causes the HTTP calls, you can enable the SG debug mode.

If you’re using ES2.x, add the following line to the file conf/logging.yml:

com.floragunn: DEBUG

If you’re using ES5.x, add the following two lines to the file conf/log4j.properties:

logger.fg.name = com.floragunn

logger.fg.level = debug

After that, restart the node(s) for the changes to take effect. You will see a lot of debug information in the logfile, and you should be able to determine where the calls come from by analyzing the logs.

Am Montag, 23. Januar 2017 16:09:34 UTC+1 schrieb Nicolas Condette:

Hello, thanks for your reply.

I found this directive: logger.com.floragunn.searchguard.ssl: DEBUG

Is it what you told us to do ?

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncon...@norauto.com

2017-01-23 13:49 GMT+01:00 Jochen Kressin jkre...@floragunn.com:

The warnings you are seeing stem from the REST layer, not the Transport (Java) layer.

Most likely you have either additional plugins installed, or use applications like Kibana or logstash which also use the REST Api. HTTPS on the REST layer is optional btw, but of course recommended.

You can set loglevels to debug or trace like this:

ES 2.x:

com.floragunn: DEBUG|TRACE

in conf/logging.yml

ES 5.x

logger.fg.name = com.floragunn

logger.fg.level = debug|trace

in conf/log4j.properties

Am Montag, 23. Januar 2017 10:27:51 UTC+1 schrieb Nicolas Condette:

Hello,

we setup searchguard and we encountered these WARNINGS in the elasticsearch.log :

“Someone speaks plaintext instead of ssl, will close the channel”

We know ES nodes speak “cyphered” between them, and we have java programs connected as transport client too.

All seems OK, java programs work fine, ES work fine too. We success in connecting people, java programs.

We tired to find who speaks plain text unsuccessfully, that’s why I write here to find some help.

Is there a debug mode or something like that which could be turned on to trace IP, or Caller ?

Thanks in advance for your help.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard...@googlegroups.com.

To post to this group, send email to search...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/99fc1f82-a464-488c-820b-ed3257313051%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

You received this message because you are subscribed to a topic in the Google Groups “Search Guard” group.

To unsubscribe from this topic, visit https://groups.google.com/d/topic/search-guard/8HPbA8FF0BI/unsubscribe.

To unsubscribe from this group and all its topics, send an email to search-guard+unsubscribe@googlegroups.com.

To post to this group, send email to search-guard@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/0f7eebbf-0446-4c02-b57c-cb490ce77a27%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Cordialement,

Nicolas CONDETTE

Norauto International

CRT, rue du Fort BP 225 - 59812 LESQUIN CEDEX

Tel: +33 (0)320607422 - Fax: +33 (0)320607555

E-Mail : ncondette@norauto.com