Elasticsearch - Failed to install template. 라는 오류가 생성됩니다

Elastisearch : 7.8.0
Logstash : 7.8.0-1
KIBANA : 7.8.0

Ubuntu16.04 데스크톱에서 ELK를 설치하고 다른 PC에 있는 Suritaca의 탐지 로그를 시각화하려는데

sudo ./logstash -f /usr/share/logstash/bin/logstash.conf 라고 명령어를 입력하면


[ERROR] 2020-06-30 10:03:46.169 [Ruby-0-Thread-8: :1] elasticsearch - Failed to install template. {:message=>"Got response code '400' contacting Elasticsearch at URL 'http://127.0.0.1:9200/_template/logstash'", :class=>"LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError", :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/manticore_adapter.rb:80:in `perform_request'",
 "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:332:in `perform_request_to_url'", 
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:319:in `block in perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:414:in `with_connection'", 
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:318:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:326:in `block in Pool'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client.rb:352:in `template_put'", 
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/http_client.rb:86:in `template_install'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/template_manager.rb:28:in `install'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/template_manager.rb:16:in `install_template'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/common.rb:205:in `install_template'", 
"/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.5.1-java/lib/logstash/outputs/elasticsearch/common.rb:49:in `block in setup_after_successful_connection'"]}

라는 메시지가 자꾸 나타납니다.

어떻게 수정을 해야할지 전혀 모르겠습니다. 조언이 필요합니다.

logstash.conf 의 내용입니다.

input {
	file {
		path => ["/nfs/eve.json"] 
		sincedb_path => ["/var/lib/logstash/since.db"]
		codec => json
		type => "SuricataIDPS"
	}
}

filter {
	if [type] == "SuricataIDPS"{
		date { 
			match => [ "timestamp", "ISO8601" ]
		}
	ruby {
		code => "
			if event.get('[event_type]') == 'fileinfo'
		event.set('[fileinfo][type]', event.get('[fileinfo][magic]').to_s.split(',')[0])
			end
			"
	}

	ruby {
		code => "
			if event.get('[event_type]') == 'alert'
				sp = event.get('[alter][signature]').to_s.split(' group ')
				if (sp.length == 2) and /\A\d+\z/.match(sp[1])
					event.set('[alert][signature]'. sp[0])
				end
			end
		"
	}

	metrics {
		meter => [ "eve_insert" ]
		add_tag => "metric"
		flush_interval => 30
	}
}

	if [http] {
		useragent {
			source => "[http][http_user_agent]"
			target => "[http][user_agent]"
		}
	}
	if [src_ip] {
		geoip {
			source => "src_ip"
			target => "geoip"
		#database => "/usr/share/GeoIp/GeoLite2-City.mmdb"
		#add_field => [ "[geoip][cpprdonates]", "%{[geoip][longitude]}" ]
		#add_field => [ "[geoip][cpprdonates]", "%{[geoip][latitude]}" ]
		}
	}
}

  output {
	if [event_type] and [event_type] != 'stats' {
		elasticsearch {
			hosts => "127.0.0.1"
			index => "logstash-%{event_type}-%{+YYYY.MM.dd}"
			template_overwrite => true
			template => "/usr/share/logstash/bin/KTS6/es-template/elasticsearch6-template.json"
			}
		} 
	else {
			elasticsearch {
				hosts => "127.0.0.1"
				index => "logstash-%{+YYYY.MM.dd}"
				template_overwrite => true
				template => "/usr/share/logstash/bin/KTS6/es-template/elasticsearch6-template.json"
				}
		}
	}

/usr/share/logstash/bin/KTS6/es-template/elasticsearch6-template.jsond의 내용입니다.


{
  "template" : "logstash-*",
  "version" : 60001,
  "settings" : {
    "number_of_replicas": 0,
    "index.refresh_interval" : "5s"
  },
  "mappings" : {
    "_default_" : {
      "dynamic_templates" : [ {
        "message_field" : {
          "path_match" : "message",
          "match_mapping_type" : "string",
          "mapping" : {
            "type" : "text",
            "norms" : false
          }
        }
      }, {
        "string_fields" : {
          "match" : "*",
          "match_mapping_type" : "string",
          "mapping" : {
             "type" : "text", "norms" : false,
              "fields" : {
                "keyword" : { "type": "keyword", "ignore_above": 256 }
              }
            }
          }
        } ],
        "properties" : {
          "@timestamp": { "type": "date"},
          "@version": { "type": "keyword"},
          "geoip"  : {
            "dynamic": true,
             "properties" : {
              "ip": { "type": "ip" },
              "location" : { "type" : "geo_point" },
              "latitude" : { "type" : "half_float" },
              "longitude" : { "type" : "half_float" }
            }
        }
       }
      }
    }
  }

부탁드립니다.

아래 메시지가 나타나는데, Elasticsearch 에 연결이 제대로 안 된것 같습니다. 포트가 막혀있거나 한건 아닌지 확인 해 보세요.

"Got response code '400' contacting Elasticsearch at URL 'http://127.0.0.1:9200/_template/logstash'"

elasticsearch

elasticsearch의 포트 9200번은 열려있는 상태입니다.
원격에서도 접속이 가능하도록 elasticsearch.yml 에서 network.host 밑에 http.host= 0.0.0.0 을 추가한 점이 문제가 될까요?

지금 발견했는데, output 에

hosts => "127.0.0.1"

대신

hosts => ["127.0.0.1"]

처럼 배열로 입력 해 보세요. 배열값이 기본이라 단일 문자열이면 안 될 수도 있습니다.

말씀해주신데로 설정하니 정상적으로 작동합니다 .
정말 감사합니다.

내공이라도 드리고 싶은데 여긴 그런 기능이 없는거 같습니다.

정말 정말 감사합니다.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.