Logstash elasticsearch input using https error

frankfoti · October 5, 2020, 7:16pm

I am able to curl the elasticsearch https but input errors out:

[ffoti@siem-logstash-01 ~]$ curl -XGET -u elastic:********* --cacert /etc/logstash/ca.crt --cert /etc/logstash/siem-logstash-01.crt --key /etc/logstash/siem-logstash-01-pkcs8.key 'https://siem-elasticsearch-01:9200/_cluster/health?pretty'
{
  "cluster_name" : "siem-poc",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 122,
  "active_shards" : 122,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0

input {
  elasticsearch {
    hosts => ["https://siem-elasticsearch-01:9200"]
    user => elastic
    password => ******
    ca_file => "/etc/logstash/ca.crt"
    ssl => true
    index => ".siem-signals-default-*"
    query => '{ "query": {"match_all": {} } }'
  }
}

[2020-10-05T19:08:31,693][ERROR][logstash.javapipeline    ][siem-alerts][f3fcdbe13baa32a6b9ce2d0220f354b0bea294eca4667ebb566f8835268d4f48] A plugin had an unrecoverable error. Will restart this plugin.
  Pipeline_id:siem-alerts
  Plugin: <LogStash::Inputs::Elasticsearch password=><password>, ca_file=>"/etc/logstash/ca.crt", hosts=>["https://siem-elasticsearch-01:9200"], query=>"{ \"query\": {\"match_all\": {} } }", index=>".siem-signals-default-*", id=>"f3fcdbe13baa32a6b9ce2d0220f354b0bea294eca4667ebb566f8835268d4f48", user=>"elastic", ssl=>true, enable_metric=>true, codec=><LogStash::Codecs::JSON id=>"json_d77f1e09-08c6-4795-97ae-46f807cb70e1", enable_metric=>true, charset=>"UTF-8">, size=>1000, scroll=>"1m", docinfo=>false, docinfo_target=>"@metadata", docinfo_fields=>["_index", "_type", "_id"]>
  Error: https
  Exception: Manticore::ResolutionFailure
  Stack: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/response.rb:37:in `block in initialize'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/response.rb:79:in `call'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/response.rb:274:in `call_once'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/manticore-0.6.4-java/lib/manticore/response.rb:158:in `code'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-5.0.5/lib/elasticsearch/transport/transport/http/manticore.rb:84:in `block in perform_request'
/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/elasticsearch-transport-5.0.5/lib/elasticsearch/transport/transport/base.rb:262:in `perform_request'

Badger · October 5, 2020, 7:18pm

That is a DNS resolution failure. It is failing to resolve the hostname "https". Remove the https://

system · November 2, 2020, 7:18pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.