I'm currently configuring Logstash ArcSight Module, however I've reached a road-block, error message below:
Sending Logstash logs to /usr/share/logstash/logs which is now configured via log4j2.properties
[2022-10-24T10:09:00,755][INFO ][logstash.runner ] Log4j configuration path used is: /etc/logstash/log4j2.properties
[2022-10-24T10:09:00,761][INFO ][logstash.runner ] Starting Logstash {"logstash.version"=>"8.4.3", "jruby.version"=>"jruby 9.3.8.0 (2.6.8) 2022-09-13 98d69c9461 OpenJDK 64-Bit Server VM 17.0.4+8 on 17.0.4+8 +indy +jit [x86_64-linux]"}
[2022-10-24T10:09:00,770][INFO ][logstash.runner ] JVM bootstrap flags: [-Xms1g, -Xmx1g, -Djava.awt.headless=true, -Dfile.encoding=UTF-8, -Djruby.compile.invokedynamic=true, -Djruby.jit.threshold=0, -XX:+HeapDumpOnOutOfMemoryError, -Djava.security.egd=file:/dev/urandom, -Dlog4j2.isThreadContextMapInheritable=true, -Djruby.regexp.interruptible=true, -Djdk.io.File.enableADS=true, --add-exports=jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED, --add-exports=jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED, --add-opens=java.base/java.security=ALL-UNNAMED, --add-opens=java.base/java.io=ALL-UNNAMED, --add-opens=java.base/java.nio.channels=ALL-UNNAMED, --add-opens=java.base/sun.nio.ch=ALL-UNNAMED, --add-opens=java.management/sun.management=ALL-UNNAMED]
[2022-10-24T10:09:00,952][WARN ][logstash.config.source.multilocal] Ignoring the 'pipelines.yml' file because modules or command line options are specified
[2022-10-24T10:09:01,727][INFO ][logstash.agent ] Successfully started Logstash API endpoint {:port=>9600, :ssl_enabled=>false}
[2022-10-24T10:09:02,257]**[ERROR][logstash.licensechecker.licensereader] Unable to retrieve license information from license server {:message=>"No Available connections"}**
[2022-10-24T10:09:02,282][**ERROR][logstash.licensechecker.modulelicensechecker] Failed to fetch X-Pack information from Elasticsearch. This is likely due to failure to reach a live Elasticsearch cluster.**
[2022-10-24T10:09:02,282][WARN ][logstash.config.modulescommon] The arcsight module is not enabled. Please check the logs for additional information.
[2022-10-24T10:09:02,286][ERROR][logstash.config.sourceloader] No configuration found in the configured sources.
[2022-10-24T10:09:02,345][INFO ][logstash.runner ] Logstash shut down.
[2022-10-24T10:09:02,354][FATAL][org.logstash.Logstash ] Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:790) ~[jruby.jar:?]
at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:753) ~[jruby.jar:?]
at usr.share.logstash.lib.bootstrap.environment.<main>(/usr/share/logstash/lib/bootstrap/environment.rb:91) ~[?:?]
The module was configured with these commands:
./logstash --modules arcsight --setup --path.settings /etc/logstash/ -M "arcsight.var.inputs=smartconnector" -M "arcsight.var.elasticsearch.hosts=[Private IP]:9200" -M "arcsight.var.elasticsearch.username=elastic" -M "arcsight.var.elasticsearch.password=changeme" -M "arcsight.var.kibana.host=[Private IP]:5601" -M "arcsight.var.kibana.username=kibana" -M "arcsight.var.kibana.password=changeme" &
I am very new to Elasticsearch and judging from the logs it sems to suggest the ES node is unreachable? I must confirm that the node ES, Kibana and Logstash are all on the same machine. Netstat has confirmed that the ES node is currently using a private address to listen on port 9200, also on a 127.0.0.1 on port 5601.
Any help or advice on how to troubleshoot will be highly appreciated.
Thanks
Blockquote