Hi, I am currently setting up the ArcSight integration module on Logstash so that I could feed security logs to the elastic stack via smartconnectors. Here's the config I am using as instructed in the guide:
bin/logstash --modules arcsight --setup
-M "arcsight.var.input.smartconnector.bootstrap_servers=10.132.111.24:56743"
-M "arcsight.var.elasticsearch.hosts=10.170.41.180:9200"
-M "arcsight.var.kibana.host=10.170.41.180:5601"
Upon checking tcpdumps, i am able to receive the logs from the smart connections but I am receiving this error:
[WARN ] 2018-07-09 19:51:03.834 [Ruby-0-Thread-13: :1] NetworkClient - [Consumer clientId=logstash-0, groupId=logstash] Connection to node -1 could not be established. Broker may not be available.
[WARN ] 2018-07-09 19:51:04.787 [Ruby-0-Thread-13: :1] NetworkClient - [Consumer clientId=logstash-0, groupId=logstash] Connection to node -1 could not be established. Broker may not be available.
[WARN ] 2018-07-09 19:51:05.941 [Ruby-0-Thread-13: :1] NetworkClient - [Consumer clientId=logstash-0, groupId=logstash] Connection to node -1 could not be established. Broker may not be available.
tcpdump for reference:
19:55:55.735831 IP 10.132.111.24 > cydo-elastic: udp
19:55:55.735880 IP 10.132.111.24.56743 > cydo-elastic.5000: UDP, length 1299
19:55:55.735981 IP 10.132.111.24.56743 > cydo-elastic.5000: UDP, length 1179
19:55:55.736099 IP 10.132.111.24.56743 > cydo-elastic.5000: UDP, length 1164
19:55:55.736229 IP 10.132.111.24.56743 > cydo-elastic.5000: UDP, length 1277
Also, i am running on version 6.3 of ELK
Any ideas on how to fix this?