[syslog-ng] Cannot send Syslog-ng to Elasticsearch
Allen Olivas
allen.olivas at infodefense.com
Thu Jul 11 16:08:46 UTC 2019
I made the changes. Here are the results of the netstat and the curl to 127.0.0.1:9200:
aolivas at wazuhserver:~$ sudo netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1032/systemd-resolv
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1874/sshd
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2145/master
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 27958/sshd: kwheele
tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 7040/sshd: aolivas@
tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 1314/node
tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2329/ossec-authd
tcp6 0 0 127.0.0.1:9200 :::* LISTEN 7771/java
tcp6 0 0 127.0.0.1:9300 :::* LISTEN 7771/java
tcp6 0 0 :::22 :::* LISTEN 1874/sshd
tcp6 0 0 :::55000 :::* LISTEN 1734/nodejs
tcp6 0 0 :::25 :::* LISTEN 2145/master
tcp6 0 0 ::1:6010 :::* LISTEN 27958/sshd: kwheele
tcp6 0 0 ::1:6011 :::* LISTEN 7040/sshd: aolivas@
curl 'https://127.0.0.1:9200/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
I've been fighting with integrating syslog-ng with elasticsearch and searchguard. The problem I'm having with that is the SSL certs and the options for the elasticsearch.yml file.
For test purposes I'm about to create my own root CA, client certificates and keys, etc. and add them to the elasticsearch.yml file. I also have to update the filebeat.yml file so that filebeat and elasticsearch can authenticate and communicate.
Once those are in place I think the tls () statement should work, right?
Any advice? I'm not too experienced with SSL/TLS certs, so I go into this a little cautious.
Thanks,
-----Original Message-----
From: Fabien Wernli <wernli at in2p3.fr>
Sent: Thursday, July 11, 2019 2:00 AM
To: Allen Olivas <allen.olivas at infodefense.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: RE: RE: RE: [syslog-ng] Cannot send Syslog-ng to Elasticsearch
Hi,
On Wed, Jul 10, 2019 at 08:22:38PM +0000, Allen Olivas wrote:
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
> tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN 1032/systemd-resolv
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1874/sshd
> tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2145/master
> tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 13557/sshd: aolivas
> tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN 15586/sshd: aolivas
> tcp 0 0 0.0.0.0:5601 0.0.0.0:* LISTEN 1314/node
> tcp 0 0 0.0.0.0:1515 0.0.0.0:* LISTEN 2329/ossec-authd
> tcp6 0 0 :::9200 :::* LISTEN 1738/java
> tcp6 0 0 :::9300 :::* LISTEN 1738/java
> tcp6 0 0 :::22 :::* LISTEN 1874/sshd
> tcp6 0 0 :::55000 :::* LISTEN 1734/nodejs
> tcp6 0 0 :::25 :::* LISTEN 2145/master
> tcp6 0 0 ::1:6010 :::* LISTEN 13557/sshd: aolivas
> tcp6 0 0 ::1:6011 :::* LISTEN 15586/sshd: aolivas
It seems to me your ES is listening on ipv6 only.
Please retry after setting the following in your elasticsearch.yml:
network.host:
- 127.0.0.1
And then curl to 127.0.0.1 explicitly (localhost may resolve to ::1)
More information about the syslog-ng
mailing list