[syslog-ng] Cannot send Syslog-ng to Elasticsearch

Fabien Wernli wernli at in2p3.fr
Fri Jul 12 06:36:58 UTC 2019

On Thu, Jul 11, 2019 at 09:48:47PM +0000, Allen Olivas wrote:
> Ok so my attempt to build and add the certificates and CA still did not work. On whim I pointed the TLS statement to the existing demo certs from searchguard. 
> After restarting syslog-ng I found the service was still running (I don't know why it worked this time and not the million other times I tried it) but data is still not traversing to elasticsearch due to (I believe) two new errors. These two errors are most likely related and not separate errors altogether. 
> Here are the two errors I'm seeing: 
> 1: From /var/log/message - Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.;
> 2: From /var/log/error - syslog-ng[18498]: Message(s) dropped while sending message to destination; driver='d_elastic#0', worker_index='1', time_reopen='60', batch_size='3'

That looks like progress to me!
What does curl say? (use -k or --capath)

Also, don't make tests with syslog-ng as long as you haven't sorted out

1. The connectivity with curl is established
   e.g. `curl --cert ... --key ...` gives you 40x
   http status code
2. The permissions with searchguard are correct
   e.g. `curl ... -Hcontent-type:application/json -d '{...}'`
   gives you a 20x

Once that's established, you can start hooking up syslog-ng.

More information about the syslog-ng mailing list