I know its not officially supported. This is a test system at home running CentOS7, syslog-ng 3.8 from repo and the latest 5.0 ES Stack. Everything works fine without x-Pack using the http client-mode but x-pack does not appear to be Shield. https://www.elastic.co/guide/en/x-pack/5.0/security-migration.html#_removed_... <https://www.elastic.co/guide/en/x-pack/5.0/security-migration.html#_removed_privileges> Just trying to prepare for when the ES5 stack is GA.

On Oct 5, 2016, at 3:34 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi Scot,

On Wed, Oct 05, 2016 at 02:40:44AM -0400, Scot Needy wrote:

...

Installed the x-pack to secure my ES instance and Kibana but noticed there does not seem to be any docs on how to handle ES authentication in from syslog-ng.conf.

I think you're looking for `client-mode(shield)` as stated later in the documentation [1].

FWIW I successfully tested it some time ago.

Cheers

-- [1] https://www.balabit.com/documents/syslog-ng-ose-latest-guides/en/syslog-ng-o... ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq

Should it work if I just add a security filters to allow syslog-ng system ? Trying these and so far no luck. https://www.elastic.co/guide/en/x-pack/5.0/ip-filtering.html <https://www.elastic.co/guide/en/x-pack/5.0/ip-filtering.html> xpack.security.http.filter.allow: localhost

On Oct 5, 2016, at 12:11 PM, Fabien Wernli <wernli@in2p3.fr> wrote:

Hi,

On Wed, Oct 05, 2016 at 11:39:28AM -0400, Scot Needy wrote:

...

I know its not officially supported. This is a test system at home running CentOS7, syslog-ng 3.8 from repo and the latest 5.0 ES Stack.

Everything works fine without x-Pack using the http client-mode but x-pack does not appear to be Shield. https://www.elastic.co/guide/en/x-pack/5.0/security-migration.html#_removed_... <https://www.elastic.co/guide/en/x-pack/5.0/security-migration.html#_removed_privileges>

Just trying to prepare for when the ES5 stack is GA.

I see, I guess the only thing you need to change is the name of the loaded plugin. Unfortunately this is being hardcoded in the java code [3]. I made a quick attempt at implementing it (it's a hack) [4] feel free to test it.

FWIW I am currently playing with searchguard [1] and succesfully managed to make it work with syslog-ng-3.8.1 [2]. They already have a ES 5.x branch (haven't tested yet).

Cheers

@lbudai: I guess it would make sense to modify `client-mode(transport)` to allow for loading plugins, e.g. by adding a new option `load-plugins("Shield" "Foo" "Bar")`

-- [1] https://github.com/floragunncom/search-guard [2] https://github.com/balabit/syslog-ng/pull/1223 [3] https://github.com/balabit/syslog-ng/blob/master/modules/java-modules/elasti... [4] https://github.com/ccin2p3/syslog-ng/tree/f/x-pack

No yet, I was trying to stay clear of compiling since 3.8 came out. I’ll give it a go this weekend.

On Oct 6, 2016, at 9:23 AM, Fabien Wernli <wernli@in2p3.fr> wrote:

On Thu, Oct 06, 2016 at 09:19:05AM -0400, Scot Needy wrote:

...

Should it work if I just add a security filters to allow syslog-ng system ?

Trying these and so far no luck. https://www.elastic.co/guide/en/x-pack/5.0/ip-filtering.html <https://www.elastic.co/guide/en/x-pack/5.0/ip-filtering.html>

xpack.security.http.filter.allow: localhost

I doubt it but you can try. Did you try my branch?