Logstash don't reach elasticsearch

SilasMuniz1 · August 17, 2022, 4:37pm

Hi all,

I set up an elasticsearch's cluster with 3 nodes. I deploy the first one e installed after kibana in the same VM(RHEL).

It's work ok. With Xpack-security enable.

elasticsearch.yml:

Added other 2 nodes using enrolment token.

Everything is ok.

When I set up logstash and try connect to elasticsearch I saw this error:

Telnet to elasticsearch on port 9200 work well.

Basic Security Logstash

Created role logstash_writer e logstash_read e logstash_internal's user that elastic.co recommend, howerver still don't work.

I believe one error in elasticsearch, because metricbeat didn't work too.

I didn't change any thing in logstash.yml.

Follow file .conf that I used:

Regards,

elasticforme · August 17, 2022, 5:58pm

can you execute

curl -u user:pass -XGET "http://<hostname>:9200/_cluster/health?pretty

use same username password you trying on logstash?
how about use user elastic?

SilasMuniz1 · August 17, 2022, 6:55pm

Show this error: curl:(52) Empty reply from server.

Inside Kibana woring well.

I don't see any problem to use elastic. I am using logstash_internal because I followed elastic procedure.

Ugo_Sangiorgi · August 17, 2022, 8:27pm

Have you tried with https ? You have tls enabled, but you are communicating to elasticsearch using http.

SilasMuniz1 · August 17, 2022, 8:42pm

@Ugo_Sangiorgi still don't working.

SilasMuniz1 · August 17, 2022, 8:43pm

I need create a self certificated ? How I do it ?

elasticforme · August 17, 2022, 8:53pm

https://discuss.elastic.co/t/how-to-replace-security-certificate-sign-by-elastic-ca/302840

Check this out

Ugo_Sangiorgi · August 17, 2022, 8:54pm

your ES uses a self signed certificate, so your curl must include "-k" for insecure
check your installation, you will find a file called "http_ca.crt" under elasticsearch-/config/certs

SilasMuniz1 · August 19, 2022, 6:00pm

@Ugo_Sangiorgi @elasticforme

I have created CA without password. After that set up my elasticsearch.yml with xpack security enable and redefine transport.ssl path.

However elasticsearch didn't start because this error:

When I made yum install in the final show me elastic password:

I tried the same procedure passing this password but didn't work too.

Without security cluster work well.

Is there something that I make wrong ?

elasticforme · August 21, 2022, 9:23pm

When I create cluster I do execute this command before doing anything and setup my password.
then restart cluster with adding my ssl files in config etc..

/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

SilasMuniz1 · August 21, 2022, 11:26pm

@elasticforme

I use these password when I will create CA and certificate ? Or still use empty password ?

Regards,

Silas Muniz

elasticforme · August 22, 2022, 2:07am

that password and certificate is two different thing.
certificate is used to communicate with other node in cluster

I know it is hard to get head around it if you doing first time security thing. as it happened to me.

you have already created cluster and has these lines in your elasticsearch.yml file then you are already using certificate. something like this

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/config/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/config/elastic-certificates.p12

now you are using some use logstash_internal but I don't know what role you have for it.
first use user elastic and see it it work.
if does then it is user grant problem.

SilasMuniz1 · August 31, 2022, 7:01pm

@elasticforme

First of all, thank you for you help.

I use elastic credential in logstash but not work. Kibana accpeted elastic credential for authentication.

What's I do wrong ?

I have seen this error in logstash:

< [INFO ] 2022-08-31 15:09:25.218 [Ruby-0-Thread-9: :1] elasticsearch - Failed to perform request {:message=>"192.168.0.35:9200 failed to respond", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::OrgApacheHttp::NoHttpResponseException: 192.168.0.35:9200 failed to respond>}

[WARN ] 2022-08-31 15:09:25.219 [Ruby-0-Thread-9: :1] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error {:url=>"http://elastic:xxxxxx@192.168.0.35:9200/", :exception=>LogStash::Outputs::Elasticsearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [http://192.168.0.35:9200/][Manticore::ClientProtocolException] 192.168.0.35:9200 failed to respond"} />

I used /usr/share/elasticsearch/bin/elasticsearch-reset-password -u elastic to change elastic password.

Regards

SilasMuniz1 · August 31, 2022, 7:04pm

@Ugo_Sangiorgi @elasticforme

curl -u elastic:kKq46rm5qwkjwkNiTd -XGET "https://localhost:9200/_cluster/health?pretty" -k
{
"cluster_name" : "my-application",
"status" : "green",
"timed_out" : false,
"number_of_nodes" : 1,
"number_of_data_nodes" : 1,
"active_primary_shards" : 16,
"active_shards" : 16,
"relocating_shards" : 0,
"initializing_shards" : 0,
"unassigned_shards" : 0,
"delayed_unassigned_shards" : 0,
"number_of_pending_tasks" : 0,
"number_of_in_flight_fetch" : 0,
"task_max_waiting_in_queue_millis" : 0,
"active_shards_percent_as_number" : 100.0

elasticforme · September 1, 2022, 1:50am

your curl for cluster health works that means user/password is connecting to elasticsearch.

error before is showing something different. it has IP address 192.168.0.35 while you testing curl with localhost

SilasMuniz1 · September 1, 2022, 10:15am

@elasticforme

The error is the same, only change is that in the top a use a production enviroment(ip 172.20.6.206) and the last post I am using the lab enviroment(192.68.0.35).

Logstash => 192.168.0.39
Elasticsearch => 192.168.0.35

I try implement security in my stack because a need use observality for use alert of my logs.
I want create a rule to analyse my logs and send it for other server. For instance, when um rule reached a condition this log will send to other server(SIEM for example).

Regards

grumo35 · September 1, 2022, 11:36am

Hello everyone,

Silas you need to understand that if you implement ssl your instances will use the "https" instead of "http" this could mean a lot of things but first you have to switch your configuration to use "https"

Elasticsearch will not answer you on HTTP ! please use HTTPS

You also need to ensure connectivity between logstash and elastic that's why doing the curl request from localhost is useless unless you just try the syntax of the command.

Please perform a request from logstash to elastic with curl.

You can also use this bash tricks which check if the port is open at the TCP level :

echo > /dev/tcp/ELASTIC_IP/9200 && echo "OK"

system · September 29, 2022, 11:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.