My Requirement:
My setup is kibana and elasticsearch resides on one machine. Logstash and filebeat resides on another machine.
My requirement is to secure the connection with SSL certificates between logstash and elasticsearch.
Steps i followed:
(1) I have installed x-pack on ElasticSearch.Using default username/password (elastic/changeme).
(2) I have self signed certificates generated for client and server. In elasticsearch.yml, i made the following changes,
(4) now i want to secure the connection with SSL between elasticsearch and logstash in the same way i was able to secure connection between filebeat and logstash.
I have not installed x-pack in logstash yet. Please let me know on how to achieve it. Am i on right track?
Hi @joshbressers ,
Thanks for the link. I added the below lines in logstash.config file,
output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
ssl => true
cacert => ["D://Softwares//ELK//ELK_SSL_Certificates//testca//cacert.pem"]
}
stdout { codec => rubydebug }
}
after adding ssl lines as mentioned in the link provided, i get below error when i start logstash , 11:21:49.029 [[main]-pipeline-manager] ERROR logstash.agent - Pipeline aborted due to error {:exception=>#<Manticore::UnknownException: Unrecognized SSL message, plaintext connection?>
Please tell me is there any thing else i am missing here
Please post the error message in full, and include in a "code block" in your message by putting 3 backticks before and after the message like this:
```
11:21:49.029 [[main]-pipeline-manager] ERROR logstash.agent - Pipeline aborted due to error {:exception=>#
```
Below are the changes i have made in my elasticsearch.yml,
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.client_authentication: required
xpack.ssl.key: "D:/Softwares/ELK/elasticsearch-5.4.0/elasticsearch-5.4.0/config/x-pack/ELK_SSL_Certificates/server/pkcs8.key"
xpack.ssl.certificate: "D:/Softwares/ELK/elasticsearch-5.4.0/elasticsearch-5.4.0/config/x-pack/ELK_SSL_Certificates/server/cert.pem"
xpack.ssl.certificate_authorities: "D:/Softwares/ELK/elasticsearch-5.4.0/elasticsearch-5.4.0/config/x-pack/ELK_SSL_Certificates/testca/cacert.pem"
That means that something tried to connect to your ES cluster using HTTP rather than HTTPS. Without more information, I can't tell you where that connection came from.
The exception is no more seen. I tried accessing to elasticsearch using http a few times. Thats the reason it threw that exception. I did not realise. Apologise for the same.
Now the next issue is i am unable to connect to elasticsearch from logstash and kibana. below is my logstash.conf output section,
output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
ssl => true
cacert => ["D://Softwares//ELK//ELK_SSL_Certificates//testca//cacert.pem"]
}
stdout { codec => rubydebug }
}
I get below error,
''':error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}'''
For your information, i have installed x-pack in elasticsearch and made changes in elasticsearch.yml as shared above. I have also installed x-pack in logstash and had made below changes,
In logstash.yml,
xpack.monitoring.elasticsearch.url: ["https://132.186.102.39:9200"]
xpack.monitoring.elasticsearch.username: elastic
xpack.monitoring.elasticsearch.password: changeme
Now i commented those lines also. The logstash.yml is a fresh file now with all lines commented.
Please note that i have added below line in elasticsearch.yml, network.host: 132.186.102.39
now i see logstash trying to connect to elasticsearch using logstash_system and elastic as username. Please find the logs below,
'''10:39:24.433 [Ruby-0-Thread-7: D:/Softwares/ELK/logstash-5.4.0/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:234] INFO
logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>http://logstash_system:xxxxxx@localhost:9200/, :path=>"/"}
10:39:24.437 [Ruby-0-Thread-10: D:/Softwares/ELK/logstash-5.4.0/logstash-5.4.0/logstash-core/lib/logstash/pipeline.rb:532] DEBUG logstash.pipeline - Pushing flush onto pipeline
10:39:24.454 [Ruby-0-Thread-6: D:/Softwares/ELK/logstash-5.4.0/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:234] WARN
logstash.outputs.elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTP:0x50b697b9 URL:http://logstash_system:xxxxxx@localhost:9200/_xpack/monitoring/?system
_id=logstash&system_api_version=2&interval=1s>, :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://logstash_system:xxxxxx@localhost:
9200/][Manticore::SocketException] Connection refused: connect"}'''
'''10:39:24.612 [Ruby-0-Thread-12: D:/Softwares/ELK/logstash-5.4.0/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:234] INF
O logstash.outputs.elasticsearch - Running health check to see if an Elasticsearch connection is working {:healthcheck_url=>https://elastic:xxxxxx@132.186.102.39:9200/, :path=>"/"}
10:39:24.647 [Ruby-0-Thread-12: D:/Softwares/ELK/logstash-5.4.0/logstash-5.4.0/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-6.3.0-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:234] WAR
N logstash.outputs.elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>#<URI::HTTPS:0x27d5513c URL:https://elastic:xxxxxx@132.186.102.39:9200/>, :error_type=>LogStash:
:Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@132.186.102.39:9200/][Manticore::ClientProtocolException] KeyUsage does not allow digit
al signatures"}'''
Strange thing is that when it uses logstash_system, it uses localhost instead of ip adress. When it uses elastic , it uses ip_address instead of localhost.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.