Logstash is not able to input data to elasticsearch

Search Guard
1

Generated secured certificates and have copied locally to each service. I am new to ELK and Searchguard. Please help me with a logstash configuration file.

Error: Logstash is not able to connect to ES, Getting timeout error messages in logs.

**************************** Elasticsearch.yml ********** searchguard configuration *****************

searchguard.ssl.transport.pemcert_filepath: /path/to/fullchain

searchguard.ssl.transport.pemkey_filepath: /path/to/privkey

searchguard.ssl.transport.pemtrustedcas_filepath: /path/to/chain

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /path/to/fullchain

searchguard.ssl.http.pemkey_filepath: path/to/privkey

searchguard.ssl.http.pemtrustedcas_filepath: /path/to/chain

searchguard.authcz.admin_dn:

  • “CN=dashboard.companyname,O=Let’s Encrypt, C=US”

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

**************************** Kibana.yml ********** searchguard configuration *****************

elasticsearch.url: “https://localhost:9200

server.ssl.enabled: true

server.ssl.certificate: /path/to/fullchain

server.ssl.key: /path/to/privatekey

*** *************** logstash.conf ********** Elasticsearch Output config ***********

output{

elasticsearch {

 "ssl" => true

 "ssl_certificate_verification" => true

 "hosts" => ["localhost:9200"]

 "sniffing" => false

 "cacert" => “path/to/chain.pem”

 "user" => logstash_user

 "password" => password

 "index" => "logstash-index1”

}

stdout { codec => json }

}

2

If you set ssl_certificate_verification to true in your logstash configuration, then the hostname in the certificate will be validated. If it does not match the real hostname, you will get an error. You use localhost everywhere in the configs, and there’s some Let’s Encrypt stuff in there as well, so I guess this is the first problem. Try to disable verification in logstash, as you already did in elasticsearch.yml

···

On Wednesday, April 11, 2018 at 3:39:27 AM UTC+2, Asha_newbie wrote:

Generated secured certificates and have copied locally to each service. I am new to ELK and Searchguard. Please help me with a logstash configuration file.

Error: Logstash is not able to connect to ES, Getting timeout error messages in logs.

**************************** Elasticsearch.yml ********** searchguard configuration *****************

searchguard.ssl.transport.pemcert_filepath: /path/to/fullchain

searchguard.ssl.transport.pemkey_filepath: /path/to/privkey

searchguard.ssl.transport.pemtrustedcas_filepath: /path/to/chain

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /path/to/fullchain

searchguard.ssl.http.pemkey_filepath: path/to/privkey

searchguard.ssl.http.pemtrustedcas_filepath: /path/to/chain

searchguard.authcz.admin_dn:

  • “CN=dashboard.companyname,O=Let’s Encrypt, C=US”

searchguard.restapi.roles_enabled: [“sg_all_access”]

searchguard.enterprise_modules_enabled: false

**************************** Kibana.yml ********** searchguard configuration *****************

elasticsearch.url: “https://localhost:9200

server.ssl.enabled: true

server.ssl.certificate: /path/to/fullchain

server.ssl.key: /path/to/privatekey

*** *************** logstash.conf ********** Elasticsearch Output config ***********

output{

elasticsearch {

 "ssl" => true

 "ssl_certificate_verification" => true

 "hosts" => ["localhost:9200"]

 "sniffing" => false

 "cacert" => “path/to/chain.pem”

 "user" => logstash_user

 "password" => password

 "index" => "logstash-index1”

}

stdout { codec => json }

}

3

Logstash requires you to set the trusted root CAs via the truststore or cacert parameter in the configuration. This is the absolute path to either the truststore or the root CA in PEM format that contains the Certificate Authority’s certificate.
If you want logstash to verify the hostname of the certificate it receives from Elasticsearch, set the ssl_certificate_verification property to true.

see Search Guard Documentation 404 | Security for Elasticsearch | Search Guard

···

Am 11.04.2018 um 21:41 schrieb Jochen Kressin <jkressin@floragunn.com>:

If you set ssl_certificate_verification to true in your logstash configuration, then the hostname in the certificate will be validated. If it does not match the real hostname, you will get an error. You use localhost everywhere in the configs, and there's some Let's Encrypt stuff in there as well, so I guess this is the first problem. Try to disable verification in logstash, as you already did in elasticsearch.yml

On Wednesday, April 11, 2018 at 3:39:27 AM UTC+2, Asha_newbie wrote:

Generated secured certificates and have copied locally to each service. I am new to ELK and Searchguard. Please help me with a logstash configuration file.

Error: Logstash is not able to connect to ES, Getting timeout error messages in logs.

**************************** Elasticsearch.yml ********** searchguard configuration *****************

searchguard.ssl.transport.pemcert_filepath: /path/to/fullchain

searchguard.ssl.transport.pemkey_filepath: /path/to/privkey

searchguard.ssl.transport.pemtrustedcas_filepath: /path/to/chain

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: true

searchguard.ssl.http.pemcert_filepath: /path/to/fullchain

searchguard.ssl.http.pemkey_filepath: path/to/privkey

searchguard.ssl.http.pemtrustedcas_filepath: /path/to/chain

searchguard.authcz.admin_dn:

- "CN=dashboard.companyname,O=Let's Encrypt, C=US"

searchguard.restapi.roles_enabled: ["sg_all_access"]

searchguard.enterprise_modules_enabled: false

**************************** Kibana.yml ********** searchguard configuration *****************

elasticsearch.url: "https://localhost:9200"

server.ssl.enabled: true

server.ssl.certificate: /path/to/fullchain

server.ssl.key: /path/to/privatekey

*** *************** logstash.conf ********** Elasticsearch Output config ***********

output{

elasticsearch {

     "ssl" => true

     "ssl_certificate_verification" => true

     "hosts" => ["localhost:9200"]

     "sniffing" => false

     "cacert" => “path/to/chain.pem”

     "user" => logstash_user

     "password" => password

     "index" => "logstash-index1”

   }

stdout { codec => json }

}

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/3facfb91-0c1a-4d8c-87e8-697885e112d6%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.