Config Logstash with https to Elasticsearch cluster

AkatsukiPain · September 23, 2020, 5:36am

Error Logs in Logstash

[2020-09-23T12:24:31,929][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://palelasticsearch01mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearc
h::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://palelasticsearch01mgt:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcep
tion: unable to find valid certification path to requested target"}
[2020-09-23T12:24:31,950][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://palelasticsearch02mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearc
h::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://palelasticsearch02mgt:9200/][Manticore::ClientProtocolException] **PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcep**
**tion: unable to find valid certification path to requested target"}**
[2020-09-23T12:24:31,974][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://palelasticsearch03mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearc
h::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://palelasticsearch03mgt:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcep
tion: unable to find valid certification path to requested target"}
[2020-09-23T12:24:32,870][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://palelasticsearch01mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearch
::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://palelasticsearch01mgt:9200/][Manticore::ClientProtocolException] palelasticsearch01mgt:9200 failed to respond"}
[2020-09-23T12:24:32,874][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://palelasticsearch02mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearch
::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://palelasticsearch02mgt:9200/][Manticore::ClientProtocolException] palelasticsearch02mgt:9200 failed to respond"}
[2020-09-23T12:24:32,877][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://palelasticsearch03mgt:9200/", :error_type=>LogStash::Outputs::ElasticSearch
::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://palelasticsearch03mgt:9200/][Manticore::ClientProtocolException] palelasticsearch03mgt:9200 failed to respond"}

Logstash Config:

output {
if [fields][type] == "glassfish_log" or [fields][type] == "jars_log" {
elasticsearch {
hosts => ["palelasticsearch01mgt:9200","palelasticsearch02mgt:9200","palelasticsearch03mgt:9200"]
index => "app-filebeat"
template_name => "app-filebeat"
template_overwrite => "true"
#ilm_enabled => false
#ilm_rollover_alias => "app-filebeat"
#ilm_pattern => "{now/d}-000001"
#ilm_policy => "app-filebeat"
#truststore => "/etc/logstash/certs/http.p12"
#keystore => "/etc/logstash/certs/http.p12"
#keystore_password => ""
#truststore_password => ""
ssl => true
ssl_certificate_verification => false
user => 'logstash_writer'
password => 'xxxx'
}
}
else if [fields][type] == "nginx_access_log" or [fields][type] == "nginx_error_log" {
elasticsearch {
hosts => ["palelasticsearch01mgt:9200","palelasticsearch02mgt:9200","palelasticsearch03mgt:9200"]
index => "proxy-filebeat"
template_name => "proxy-filebeat"
template_overwrite => "true"
#ilm_enabled => false
#ilm_rollover_alias => "proxy-filebeat"
#ilm_pattern => "{now/d}-000001"
#ilm_policy => "proxy-filebeat"
#truststore => "/etc/logstash/certs/pallogstash01mgt.p12"
#keystore => "/etc/logstash/certs/pallogstash01mgt.p12"
#keystore_password => ""
#truststore_password => ""
ssl => true
ssl_certificate_verification => false
user => 'logstash_writer'
password => 'xxxx'
}
}
}

Elastic Search Logs:

[2020-09-23T05:30:31,456][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56596}
[2020-09-23T05:30:34,652][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56602}
[2020-09-23T05:30:36,465][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56608}
[2020-09-23T05:30:39,731][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56614}
[2020-09-23T05:30:41,474][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56620}
[2020-09-23T05:30:44,804][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56626}
[2020-09-23T05:30:46,484][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [palelasticsearch01mgt] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/192.168.24.60:9200, remote
Address=/192.168.24.67:56632}

I have changed many configs in logstash but didn't work, the cert in logstash config has come from Elasticsearch CA (PKSC12 elastic-stack-ca.p12 ) with truststore config or CACERT ( export pkcs12 to pem).

I don't know how to config logstash correctly. please help me.
Additionally, logstash is monitored by elasticsearch already. just unable to push logs to Elasticsearch.

kavierkoo · September 23, 2020, 8:38am

In your logstash config, cacert field is missing and hosts are not https.

output {
if [fields][type] == "glassfish_log" or [fields][type] == "jars_log" {
  elasticsearch {
    hosts => ["https://palelasticsearch01mgt:9200","https://palelasticsearch02mgt:9200","https://palelasticsearch03mgt:9200"]
    index => "app-filebeat"
    template_name => "app-filebeat"
    template_overwrite => "true"
    #ilm_enabled => false
    #ilm_rollover_alias => "app-filebeat"
    #ilm_pattern => "{now/d}-000001"
    #ilm_policy => "app-filebeat"
    #truststore => "/etc/logstash/certs/http.p12"
    #keystore => "/etc/logstash/certs/http.p12"
    #keystore_password => ""
    #truststore_password => ""
    ssl => true
    ssl_certificate_verification => false
    user => 'logstash_writer'
    password => 'xxxx'
    cacert => "YOUR_CACERT"
  }
}

You can refer to below for reference.

Section [6-4] Create and configure conf.d/example.conf

Hope this could help you.

AkatsukiPain · October 5, 2020, 6:43am

Your answer is almost true
because of my cert is not valid so the way that I did was not work. I updated the Cert and change the hosts to HTTPS and it's working now.
Thanks for your answer.

system · November 2, 2020, 6:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.