I made the changes. Here are the results of the netstat and the curl to 127.0.0.1:9200: aolivas@wazuhserver:~$ sudo netstat -tpln Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1032/systemd-resolv tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1874/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2145/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 27958/sshd: kwheele tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 7040/sshd: aolivas@ tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 1314/node tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2329/ossec-authd tcp6 0 0 127.0.0.1:9200 :::* LISTEN 7771/java tcp6 0 0 127.0.0.1:9300 :::* LISTEN 7771/java tcp6 0 0 :::22 :::* LISTEN 1874/sshd tcp6 0 0 :::55000 :::* LISTEN 1734/nodejs tcp6 0 0 :::25 :::* LISTEN 2145/master tcp6 0 0 ::1:6010 :::* LISTEN 27958/sshd: kwheele tcp6 0 0 ::1:6011 :::* LISTEN 7040/sshd: aolivas@ curl 'https://127.0.0.1:9200/' curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html I've been fighting with integrating syslog-ng with elasticsearch and searchguard. The problem I'm having with that is the SSL certs and the options for the elasticsearch.yml file. For test purposes I'm about to create my own root CA, client certificates and keys, etc. and add them to the elasticsearch.yml file. I also have to update the filebeat.yml file so that filebeat and elasticsearch can authenticate and communicate. Once those are in place I think the tls () statement should work, right? Any advice? I'm not too experienced with SSL/TLS certs, so I go into this a little cautious. Thanks, -----Original Message----- From: Fabien Wernli <wernli@in2p3.fr> Sent: Thursday, July 11, 2019 2:00 AM To: Allen Olivas <allen.olivas@infodefense.com> Cc: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: RE: RE: RE: [syslog-ng] Cannot send Syslog-ng to Elasticsearch Hi, On Wed, Jul 10, 2019 at 08:22:38PM +0000, Allen Olivas wrote:
Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1032/systemd-resolv tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1874/sshd tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2145/master tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 13557/sshd: aolivas tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 15586/sshd: aolivas tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 1314/node tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2329/ossec-authd tcp6 0 0 :::9200 :::* LISTEN 1738/java tcp6 0 0 :::9300 :::* LISTEN 1738/java tcp6 0 0 :::22 :::* LISTEN 1874/sshd tcp6 0 0 :::55000 :::* LISTEN 1734/nodejs tcp6 0 0 :::25 :::* LISTEN 2145/master tcp6 0 0 ::1:6010 :::* LISTEN 13557/sshd: aolivas tcp6 0 0 ::1:6011 :::* LISTEN 15586/sshd: aolivas
It seems to me your ES is listening on ipv6 only. Please retry after setting the following in your elasticsearch.yml: network.host: - 127.0.0.1 And then curl to 127.0.0.1 explicitly (localhost may resolve to ::1)