Fresh ELK install 8.4.3. Logstash problem


Could use some help with fresh ELK installation on premises. I installed Elasticstack and Kibana with mostly default configuration. In Elasticstack conf i changed Data path and uncommented host and port settings. In Kibana i uncommented host, port and publicBaseUrl.

When starting Elasticstack i as given firstime user and token. When starting Kibana for the first time i got to insert that token and login in worked. So far so good.

Then i installed Logstash and made simple pipe config, where input is syslog and output is Elasticstack. But i get errors:

[2022-10-28T12:38:03,467][INFO ][logstash.outputs.elasticsearch][main] Failed to perform request {:message=>"x.x.x.x:9200 failed to respond", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::OrgApacheHttp::NoHttpResponseException: x.x.x.x:9200 failed to respond>}

[2022-10-28T12:37:58,446][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [ELK] received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/x.x.x.x:9200, remoteAddress=/x.x.x.x:54377}

It seems like authentication problem. When i tested with Elasticsearch security turned off it started sending fine but that also removes users login part that i like.

What do i need to add in logstash to make it work with authentication.
i tryed to change:

output {

	elasticsearch {
		hosts => ["x.x.x.x:9200"]


hosts to include http / https aswell, dident change anything.

It is not authentication, authentiacation errors from elasticsearch will return a 401 or 403, your Logstash can't even connect to Elasticsearch yet.

This means that you have something sending data to your Elasticsearch instance using http while it expects https.

In your Logstash output you need to use hosts => ["https://ip:9200"].

Change it to https and share both the Logstash logs and Elastiscearch logs.

When i added:

hosts => ["https://x.x.x.x:9200"]
ssl => true
cacert => 'C:\logstash-8.4.3\config\certs\http_ca.crt'
user => 'logstash_internal'
password => 'xxxx'

Then it started working.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.