I am trying to ingest data from wazuh to elastic using this .config
file inside logstash
input {
opensearch {
hosts => ["[IP:PORT]"]
user => "[USER]"
password => "[PW]"
index => "wazuh-alerts-*"
ssl => true
ca_file => "/usr/share/logstash/certs/root-ca-wazuh.pem"
query => '{
"query": {
"bool": {
"must": [
{
"term": {
"rule.level": {
"value": "9"
}
}
},
{
"range": {
"timestamp": {
"gte": "now-1h"
}
}
}
]
}
}
}'
}
}
output {
elasticsearch {
hosts => ["[IP:PORT]"]
index => "wazuh-alerts-%{+YYYY.MM.dd}"
user => 'logstash'
password => '[PW]'
ssl_enabled => true
ssl_certificate => "/usr/share/logstash/certs/ca/ca.crt"
ssl_key => "/usr/share/logstash/certs/ca/ca.pkcs8.key"
ssl_verification_mode => none
template => "/usr/share/logstash/conf.d/templates/wazuh.json"
template_name => "wazuh"
template_overwrite => true
data_stream => false
}
}
But once i start logstash on docker the following error appears:
logstash01_1 | The client is unable to verify distribution due to security privileges on the server side. Some functionality may not be compatible if the server is running an unsupported product.
logstash01_1 | [2024-07-10T15:27:00,900][ERROR][logstash.javapipeline ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<OpenSearch::Transport::Transport::Errors::Forbidden: [403] >, :backtrace=>["/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch/transport/transport/base.rb:227:in `__raise_transport_error'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch/transport/transport/base.rb:349:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch/transport/transport/http/manticore.rb:93:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch/transport/client.rb:191:in `perform_request'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch.rb:48:in `method_missing'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/opensearch-ruby-3.3.0/lib/opensearch/api/actions/ping.rb:46:in `ping'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-opensearch-1.0.0/lib/logstash/inputs/opensearch.rb:389:in `test_connection!'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-input-opensearch-1.0.0/lib/logstash/inputs/opensearch.rb:224:in `register'", "/usr/share/logstash/vendor/bundle/jruby/3.1.0/gems/logstash-mixin-ecs_compatibility_support-1.3.0-java/lib/logstash/plugin_mixins/ecs_compatibility_support/target_check.rb:48:in `register'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:237:in `block in register_plugins'", "org/jruby/RubyArray.java:1989:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:236:in `register_plugins'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:395:in `start_inputs'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:320:in `start_workers'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:194:in `run'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:146:in `block in start'"], "pipeline.sources"=>["/usr/share/logstash/conf.d/wazuh-elasticsearch.conf"], :thread=>"#<Thread:0x3a3154fb /usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:134 run>"}
I don't know if it is a logstash user permission issue, even if I don't think so due to having tried with superuser also. I am using ELK stack version 8.12.2
What could it be?