[syslog-ng] Cannot send Syslog-ng to Elasticsearch

Allen Olivas allen.olivas at infodefense.com
Thu Jul 11 16:08:46 UTC 2019


I made the changes. Here are the results of the netstat and the curl to 127.0.0.1:9200:

aolivas at wazuhserver:~$ sudo netstat -tpln
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1032/systemd-resolv
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1874/sshd
tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2145/master
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      27958/sshd: kwheele
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      7040/sshd: aolivas@
tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      1314/node
tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      2329/ossec-authd
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      7771/java
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      7771/java
tcp6       0      0 :::22                   :::*                    LISTEN      1874/sshd
tcp6       0      0 :::55000                :::*                    LISTEN      1734/nodejs
tcp6       0      0 :::25                   :::*                    LISTEN      2145/master
tcp6       0      0 ::1:6010                :::*                    LISTEN      27958/sshd: kwheele
tcp6       0      0 ::1:6011                :::*                    LISTEN      7040/sshd: aolivas@


curl 'https://127.0.0.1:9200/'
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

I've been fighting with integrating syslog-ng with elasticsearch and searchguard. The problem I'm having with that is the SSL certs and the options for the elasticsearch.yml file. 
For test purposes I'm about to create my own root CA, client certificates and keys, etc. and add them to the elasticsearch.yml file. I also have to update the filebeat.yml file so that filebeat and elasticsearch can authenticate and communicate.

Once those are in place I think the tls () statement should work, right? 

Any advice? I'm not too experienced with SSL/TLS certs, so I go into this a little cautious. 

Thanks, 

-----Original Message-----
From: Fabien Wernli <wernli at in2p3.fr> 
Sent: Thursday, July 11, 2019 2:00 AM
To: Allen Olivas <allen.olivas at infodefense.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: RE: RE: RE: [syslog-ng] Cannot send Syslog-ng to Elasticsearch

Hi,

On Wed, Jul 10, 2019 at 08:22:38PM +0000, Allen Olivas wrote:
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
> tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      1032/systemd-resolv
> tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1874/sshd
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN      2145/master
> tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      13557/sshd: aolivas
> tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      15586/sshd: aolivas
> tcp        0      0 0.0.0.0:5601            0.0.0.0:*               LISTEN      1314/node
> tcp        0      0 0.0.0.0:1515            0.0.0.0:*               LISTEN      2329/ossec-authd
> tcp6       0      0 :::9200                 :::*                    LISTEN      1738/java
> tcp6       0      0 :::9300                 :::*                    LISTEN      1738/java
> tcp6       0      0 :::22                   :::*                    LISTEN      1874/sshd
> tcp6       0      0 :::55000                :::*                    LISTEN      1734/nodejs
> tcp6       0      0 :::25                   :::*                    LISTEN      2145/master
> tcp6       0      0 ::1:6010                :::*                    LISTEN      13557/sshd: aolivas
> tcp6       0      0 ::1:6011                :::*                    LISTEN      15586/sshd: aolivas

It seems to me your ES is listening on ipv6 only.
Please retry after setting the following in your elasticsearch.yml:

  network.host:
  - 127.0.0.1

And then curl to 127.0.0.1 explicitly (localhost may resolve to ::1)



More information about the syslog-ng mailing list