On Thu, Jul 11, 2019 at 09:48:47PM +0000, Allen Olivas wrote:
Ok so my attempt to build and add the certificates and CA still did not work. On whim I pointed the TLS statement to the existing demo certs from searchguard.
After restarting syslog-ng I found the service was still running (I don't know why it worked this time and not the million other times I tried it) but data is still not traversing to elasticsearch due to (I believe) two new errors. These two errors are most likely related and not separate errors altogether.
Here are the two errors I'm seeing: 1: From /var/log/message - Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.; 2: From /var/log/error - syslog-ng[18498]: Message(s) dropped while sending message to destination; driver='d_elastic#0', worker_index='1', time_reopen='60', batch_size='3'
That looks like progress to me! What does curl say? (use -k or --capath) Also, don't make tests with syslog-ng as long as you haven't sorted out that: 1. The connectivity with curl is established e.g. `curl --cert ... --key ... https://127.0.0.1:9200` gives you 40x http status code 2. The permissions with searchguard are correct e.g. `curl ... https://127.0.0.1:9200/_bulk -Hcontent-type:application/json -d '{...}'` gives you a 20x Once that's established, you can start hooking up syslog-ng.