Logstash Arcsight Module issue

I've to ingest logs via smart connector to logstash. I installed x-pack and the arcsight module (Followed this link https://www.elastic.co/guide/en/logstash/current/arcsight-module.html)

In logstash.yml, I have mentioned the details as below:

modules:

  • name: arcsight
    var.elasticsearch.hosts: "192.168.2.142:9200"
    var.elasticsearch.username: "elastic"
    var.elasticsearch.password: "elastic@123"
    var.kibana.host: "192.168.2.142:5601"
    var.kibana.username: "kibana"
    var.kibana.password: "kibana@123"
    var.smartconnector.port: "5000"

No matter what I do, the port is not opening:
root@elastic:~# netcat -zv 192.168.2.141 5000
netcat: connect to 192.168.2.141 port 5000 (tcp) failed: Connection refused

When i run logstash, I get below output :

elk@ELK:~$ sudo /usr/share/logstash/bin/logstash --modules arcsight
Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties
Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'
Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'
Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'
Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'
Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/_xpack'
.
.
.

Please suggest.

Passing in command line arguments makes logstash bypass other things like pipelines etc. So you're not passing in the authentication in your YML file. You don't need the command arguments if you have everything in your logstash.yml (bin/logstash should suffice) Check your variable names and spacing. The yml file is very picky when parsed.

-krw

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.