[syslog-ng] Cannot send Syslog-ng to Elasticsearch

Allen Olivas allen.olivas at infodefense.com
Fri Jul 12 14:26:07 UTC 2019 

Ok, I curl'd cert and key to 127.0.0.1:9200 and got:

"curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above."

The cert and key are the demo searchguard ones, esnode.pem and esnode-key.pem
Once I can wrap my head around how this is all working together, etc, I'll swap those out for legitimate certs and keys. 

So that's where I stand. I think once I can resolve this part I should be good to go. 



-----Original Message-----
From: Fabien Wernli <wernli at in2p3.fr> 
Sent: Friday, July 12, 2019 1:37 AM
To: Allen Olivas <allen.olivas at infodefense.com>
Cc: Syslog-ng users' and developers' mailing list <syslog-ng at lists.balabit.hu>
Subject: Re: [syslog-ng] Cannot send Syslog-ng to Elasticsearch

On Thu, Jul 11, 2019 at 09:48:47PM +0000, Allen Olivas wrote:
> Ok so my attempt to build and add the certificates and CA still did not work. On whim I pointed the TLS statement to the existing demo certs from searchguard. 
> 
> After restarting syslog-ng I found the service was still running (I don't know why it worked this time and not the million other times I tried it) but data is still not traversing to elasticsearch due to (I believe) two new errors. These two errors are most likely related and not separate errors altogether. 
> 
> Here are the two errors I'm seeing: 
> 1: From /var/log/message - Server returned with a 4XX (client errors) status code, which means we are not authorized or the URL is not found.;
> 2: From /var/log/error - syslog-ng[18498]: Message(s) dropped while sending message to destination; driver='d_elastic#0', worker_index='1', time_reopen='60', batch_size='3'

That looks like progress to me!
What does curl say? (use -k or --capath)

Also, don't make tests with syslog-ng as long as you haven't sorted out
that:

1. The connectivity with curl is established
   e.g. `curl --cert ... --key ... https://127.0.0.1:9200` gives you 40x
   http status code
2. The permissions with searchguard are correct
   e.g. `curl ... https://127.0.0.1:9200/_bulk -Hcontent-type:application/json -d '{...}'`
   gives you a 20x

Once that's established, you can start hooking up syslog-ng.

More information about the syslog-ng mailing list