[syslog-ng] Cannot send Syslog-ng to Elasticsearch
Fabien Wernli
wernli at in2p3.fr
Wed Jul 10 06:19:30 UTC 2019
Hi,
On Tue, Jul 09, 2019 at 09:56:50PM +0000, Allen Olivas wrote:
> Ok I've got it configured but now its I think its not building the index and updating elasticsearch because of HTTPS and authentication. I have searchguard set up for elasticsearch and kibana. I'm assuming I need Syslog-ng to use the SSL certs searchguard has in place for elasticsearch.
You can use almost any authentication method supported by Searchguard.
We use client certificates for syslog-ng, and here's how the config looks
like:
destination d_coloss {
elasticsearch-http(
url("https://node01:9200/_bulk" "https://node02:9200/_bulk")
index("syslog-${YEAR}-${MONTH}-${DAY}")
time-zone("UTC")
type("")
workers(4)
batch_lines(128)
batch_timeout(10000)
timeout(100)
tls(
ca-file("/path/to/ca.pem")
cert-file("/path/to/syslog_ng.crt.pem")
key-file("/path/to/syslog_ng.key.pem")
peer-verify(yes)
)
);
};
And here are the searchguard permissions for the syslog-ng user's role:
sg_role_syslog_ng:
indices:
"syslog":
"*":
- WRITE
- CREATE_INDEX
- indices:admin/mapping/put
cluster:
- CLUSTER_COMPOSITE_OPS
- cluster:monitor/nodes/info
- cluster:monitor/nodes/liveness
- cluster:monitor/state
More information about the syslog-ng
mailing list