[syslog-ng] Cannot send Syslog-ng to Elasticsearch
Fabien Wernli
wernli at in2p3.fr
Fri Jul 12 06:36:58 UTC 2019
On Thu, Jul 11, 2019 at 09:48:47PM +0000, Allen Olivas wrote:
> Ok so my attempt to build and add the certificates and CA still did not work. On whim I pointed the TLS statement to the existing demo certs from searchguard.
>
> After restarting syslog-ng I found the service was still running (I don't know why it worked this time and not the million other times I tried it) but data is still not traversing to elasticsearch due to (I believe) two new errors. These two errors are most likely related and not separate errors altogether.
>
> Here are the two errors I'm seeing:
> 1: From /var/log/message - Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.;
> 2: From /var/log/error - syslog-ng[18498]: Message(s) dropped while sending message to destination; driver='d_elastic#0', worker_index='1', time_reopen='60', batch_size='3'
That looks like progress to me!
What does curl say? (use -k or --capath)
Also, don't make tests with syslog-ng as long as you haven't sorted out
that:
1. The connectivity with curl is established
e.g. `curl --cert ... --key ... https://127.0.0.1:9200` gives you 40x
http status code
2. The permissions with searchguard are correct
e.g. `curl ... https://127.0.0.1:9200/_bulk -Hcontent-type:application/json -d '{...}'`
gives you a 20x
Once that's established, you can start hooking up syslog-ng.
More information about the syslog-ng
mailing list