Logstash communication failed with Elasticsearch search guard

Hi,
I have installed search guard plugin on my ELK platform : search guard is OK with Elasticsearch and Kibana.
But with logstash it doesn’t work.

Here is my logstash log :

{:timestamp=>“2018-02-05T17:41:16.701000+0100”, :message=>“Attempted to send a bulk request to Elasticsearch configured at ‘["http://localhost:9200"]’, but Elasticsearch appears to be unreachable or down!”, :error_message=>“Connection reset”, :class=>“Manticore::SocketException”, :level=>:error}

Here is my Elasticsearch log :

[2018-02-06T17:38:10,518][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [somweb-px01-elk-es-log-01] Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel

Here is my logstash output conf :

if [type] == “apache” {

 elasticsearch {
    ssl => true
    ssl_certificate_verification => false
    truststore => "/etc/elasticsearch/es-log-01/truststore.jks"
    truststore_password => XXXXX
    user => logstash
    password => XXXXXXX
    hosts => "https://localhost:9200"

Do you have any idea ?

Thanks,

Hi,
I have installed search guard plugin on my ELK platform : search guard is OK with Elasticsearch and Kibana.
But with logstash it doesn't work.

Here is my logstash log :
<code>
{:timestamp=>"2018-02-05T17:41:16.701000+0100", :message=>"Attempted to send a bulk request to Elasticsearch configured at '[\"http://localhost:9200&quot;]', but Elasticsearch appears to be unreachable or down!", :error_message=>"Connection reset",

In the above line logstash seem to try to connect to http://localhost:9200 instead of https://localhost:9200
That is also why you get the "Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel" warning

···

Am 06.02.2018 um 17:54 schrieb Florent LEPOUTRE <florent.lepoutre@gmail.com>:

:class=>"Manticore::SocketException", :level=>:error}
</code>

Here is my Elasticsearch log :
<code>
[2018-02-06T17:38:10,518][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [somweb-px01-elk-es-log-01] Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel
</code>

Here is my logstash output conf :
<code>
if [type] == "apache" {
  
     elasticsearch {
        ssl => true
        ssl_certificate_verification => false
        truststore => "/etc/elasticsearch/es-log-01/truststore.jks"
        truststore_password => XXXXX
        user => logstash
        password => XXXXXXX
        hosts => "https://localhost:9200"

</code>

Do you have any idea ?

Thanks,

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/46a8d1cf-f3ff-4622-9af6-03e233df8e75%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.

Hi,
Thanks for your response.
I noticed that too but my Logstash output is well configure in SSL, it’s very strange.

Regards,

···

Le mardi 6 février 2018 17:54:00 UTC+1, Florent LEPOUTRE a écrit :

Hi,
I have installed search guard plugin on my ELK platform : search guard is OK with Elasticsearch and Kibana.
But with logstash it doesn’t work.

Here is my logstash log :

{:timestamp=>“2018-02-05T17:41:16.701000+0100”, :message=>“Attempted to send a bulk request to Elasticsearch configured at ‘["http://localhost:9200"]’, but Elasticsearch appears to be unreachable or down!”, :error_message=>“Connection reset”, :class=>“Manticore::SocketException”, :level=>:error}

Here is my Elasticsearch log :

[2018-02-06T17:38:10,518][WARN ][c.f.s.h.SearchGuardHttpServerTransport] [somweb-px01-elk-es-log-01] Someone (/127.0.0.1:56442) speaks http plaintext instead of ssl, will close the channel

Here is my logstash output conf :

if [type] == “apache” {

 elasticsearch {
    ssl => true
    ssl_certificate_verification => false
    truststore => "/etc/elasticsearch/es-log-01/truststore.jks"
    truststore_password => XXXXX
    user => logstash
    password => XXXXXXX
    hosts => "[https://localhost:9200](https://localhost:9200)"

Do you have any idea ?

Thanks,