[syslog-ng] Cannot send Syslog-ng to Elasticsearch
allen.olivas at infodefense.com
Wed Jul 10 17:16:01 UTC 2019
I've just used and set up the cert generator for PoC with SearchGuard.
When I do that curl I get connection refused:
sudo curl --key /etc/elasticsearch/CN=demouser.key.pem --cert /etc/elasticsearch/CN=demouser.crt.pem https://localhost:9200/
curl: (7) Failed to connect to localhost port 9200: Connection refused
I can share configs and anything else you might need. Any thoughts? Currently my integration is broken. ☹
From: Fabien Wernli <wernli at in2p3.fr>
Sent: Wednesday, July 10, 2019 1:55 AM
To: Allen Olivas <allen.olivas at infodefense.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: RE: [syslog-ng] Cannot send Syslog-ng to Elasticsearch
On Wed, Jul 10, 2019 at 06:47:48AM +0000, Allen Olivas wrote:
> My problem now is it still doesn't seem to authenticate or work with elasticsearch.
How did you create the user certificate?
You can test it using curl:
curl --key /path/to/key --cert /path/to/cert https://localhost:9200/
> Should I have an entry in the elasticsearch.yml? Searchguard has already been configured for elasticsearch and kibana. Also is your elastic-http-plugin.conf referencing the yml file or the client-mode ("searchguard")? I'm not entirely sure what all needs to be configured.
Client-mode is not a valid option for the elasticsearch-http() driver, so
don't use it (it was an option to the java elastic dest).
> [2019-07-10T01:44:39.100211] curl: error sending HTTP request; url='https://127.0.0.1:9200/_bulk', error='Problem with the local SSL certificate', worker_index='3', driver='d_elastic#0', location='#buffer:4:3'
Again, test the client certificate with curl. My guess is that you generated
a node certificate instead of a client certificate.
More information about the syslog-ng