Hi, On Tue, Jul 09, 2019 at 09:56:50PM +0000, Allen Olivas wrote:
Ok I've got it configured but now its I think its not building the index and updating elasticsearch because of HTTPS and authentication. I have searchguard set up for elasticsearch and kibana. I'm assuming I need Syslog-ng to use the SSL certs searchguard has in place for elasticsearch.
You can use almost any authentication method supported by Searchguard. We use client certificates for syslog-ng, and here's how the config looks like: destination d_coloss { elasticsearch-http( url("https://node01:9200/_bulk" "https://node02:9200/_bulk") index("syslog-${YEAR}-${MONTH}-${DAY}") time-zone("UTC") type("") workers(4) batch_lines(128) batch_timeout(10000) timeout(100) tls( ca-file("/path/to/ca.pem") cert-file("/path/to/syslog_ng.crt.pem") key-file("/path/to/syslog_ng.key.pem") peer-verify(yes) ) ); }; And here are the searchguard permissions for the syslog-ng user's role: sg_role_syslog_ng: indices: "syslog": "*": - WRITE - CREATE_INDEX - indices:admin/mapping/put cluster: - CLUSTER_COMPOSITE_OPS - cluster:monitor/nodes/info - cluster:monitor/nodes/liveness - cluster:monitor/state