[syslog-ng] Cannot send Syslog-ng to Elasticsearch

Allen Olivas allen.olivas at infodefense.com
Wed Jul 10 17:16:01 UTC 2019


I've just used and set up the cert generator for PoC with SearchGuard. 
When I do that curl I get connection refused: 

sudo  curl --key /etc/elasticsearch/CN=demouser.key.pem --cert /etc/elasticsearch/CN=demouser.crt.pem https://localhost:9200/
curl: (7) Failed to connect to localhost port 9200: Connection refused

I can share configs and anything else you might need. Any thoughts? Currently my integration is broken. ☹ 

-----Original Message-----
From: Fabien Wernli <wernli at in2p3.fr> 
Sent: Wednesday, July 10, 2019 1:55 AM
To: Allen Olivas <allen.olivas at infodefense.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: RE: [syslog-ng] Cannot send Syslog-ng to Elasticsearch

On Wed, Jul 10, 2019 at 06:47:48AM +0000, Allen Olivas wrote:
> My problem now is it  still doesn't seem to authenticate or work with elasticsearch. 

How did you create the user certificate?
You can test it using curl:

  curl --key /path/to/key --cert /path/to/cert https://localhost:9200/

> Should I have an entry in the elasticsearch.yml? Searchguard has already been configured for elasticsearch and kibana. Also is your elastic-http-plugin.conf referencing the yml file or the client-mode ("searchguard")? I'm not entirely sure what all needs to be configured. 

Client-mode is not a valid option for the elasticsearch-http() driver, so
don't use it (it was an option to the java elastic dest).

> [2019-07-10T01:44:39.100211] curl: error sending HTTP request; url='', error='Problem with the local SSL certificate', worker_index='3', driver='d_elastic#0', location='#buffer:4:3'

Again, test the client certificate with curl. My guess is that you generated
a node certificate instead of a client certificate.

More information about the syslog-ng mailing list