Ok, I curl'd cert and key to 127.0.0.1:9200 and got: "curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above." The cert and key are the demo searchguard ones, esnode.pem and esnode-key.pem Once I can wrap my head around how this is all working together, etc, I'll swap those out for legitimate certs and keys. So that's where I stand. I think once I can resolve this part I should be good to go. -----Original Message----- From: Fabien Wernli <wernli@in2p3.fr> Sent: Friday, July 12, 2019 1:37 AM To: Allen Olivas <allen.olivas@infodefense.com> Cc: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Cannot send Syslog-ng to Elasticsearch On Thu, Jul 11, 2019 at 09:48:47PM +0000, Allen Olivas wrote:
Ok so my attempt to build and add the certificates and CA still did not work. On whim I pointed the TLS statement to the existing demo certs from searchguard.
After restarting syslog-ng I found the service was still running (I don't know why it worked this time and not the million other times I tried it) but data is still not traversing to elasticsearch due to (I believe) two new errors. These two errors are most likely related and not separate errors altogether.
Here are the two errors I'm seeing: 1: From /var/log/message - Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.; 2: From /var/log/error - syslog-ng[18498]: Message(s) dropped while sending message to destination; driver='d_elastic#0', worker_index='1', time_reopen='60', batch_size='3'
That looks like progress to me! What does curl say? (use -k or --capath) Also, don't make tests with syslog-ng as long as you haven't sorted out that: 1. The connectivity with curl is established e.g. `curl --cert ... --key ... https://127.0.0.1:9200` gives you 40x http status code 2. The permissions with searchguard are correct e.g. `curl ... https://127.0.0.1:9200/_bulk -Hcontent-type:application/json -d '{...}'` gives you a 20x Once that's established, you can start hooking up syslog-ng.