Logstash-filter-elasticsearch URI parsing error when ssl set to true

zhaider · January 10, 2019, 10:33pm

This is my plugin config:

   elasticsearch {
        hosts => [ "${LS_ES_HOST1}" ]
        user     => "${LS_ES_USER}"
        password => "${LS_ES_PASSWORD}"
        ssl      => true
        ca_file   => "${LS_ES_CACERTS}"
        index => "cmx_customers"
        query => "cmx_cdir:%{[cdir]}"
        fields => { "customer_name" => "cmx_customer_name" }
    }

When I try to use this filter to run a query against an ES cluster that has SSL enabled, I get the following errors when the plugin is loaded:

2019-01-10T16:26:13,542][INFO ][logstash.filters.elasticsearch] New ElasticSearch filter client {:hosts=>[{:host=>"9.42.83.106:9200", :scheme=>"https"}]}
[2019-01-10T16:26:13,543][INFO ][logstash.filters.elasticsearch] New ElasticSearch filter client {:hosts=>[{:host=>"9.42.83.106:9200", :scheme=>"https"}]}
...
...
[2019-01-10T16:26:13,753][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"cmx_customers", :query=>"cmx_cdir:CFO", :event=>#LogStash::Event:0x4504eb02, :error=>"#<URI::InvalidURIError: bad URI(is not URI?): https://{:host=>"9.42.83.106:9200", :scheme=>"https"}:https>"}

As seen above it's enclosing the hostname within quotes ("), and is probably barfing on that. This does not happen when ssl => false. Interestingly, on each subsequent run, the hostname=> gets recursively appended to the error message resulting in something like this:

[2019-01-10T16:26:15,559][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"cmx_customers", :query=>"cmx_cdir:CC6", :event=>#LogStash::Event:0x39987564, :error=>"#<URI::InvalidURIError: bad URI(is not URI?): https://{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>
...
...
{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>{:host=>"9.42.83.106:9200", :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :protocol=>"https", :port=>0}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https"}, :scheme=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0},
...
...
:scheme=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https"}, :scheme=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>"https"}, :scheme=>"https", :protocol=>"https", :port=>0}, :scheme=>"https"}, :scheme=>"https"}:https>"}

I am new to the forums and searched this issue but I am surprised no one has ever run into this? I am using version 6.5 of everything.

Would appreciate any help or pointers on how to resolve this.

Chris_Lyons · January 10, 2019, 11:09pm

Specify all hosts with their https:// prefix and do not specify the ssl attribute.

zhaider · January 23, 2019, 9:03pm

Thanks. This works correctly in the following cases:

Local logstash 6.5.4 to elastic 6.5.4
Local logstash 6.5.4 to elastic 6.4.x (single staging node)
Local logstash 6.5.4 to elastic 6.4.x (production cluster with 2 data, 3 master, and 2 ingest nodes)
Staging logstash 6.4.3 to elastic staging 6.4.x

However, I am having a problem successfully querying the index field when running from a production logstash 6.4.3 instance to our production ES cluster. I get the following error:

[2019-01-23T17:53:10,416][WARN ][logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"cmx_customers", :query=>"cmx_cdir:Q21", :event=>#LogStash::Event:0x431e79f3, :error=>#Faraday::SSLError}

I know the cmx_customers index exists and the cmx_cdir field with that value exists. The filter configuration works when querying from that es instance from my local logstash (6.5.x).

Any insights?

Chris_Lyons · January 25, 2019, 10:54pm

Off the top of my head no. Do the debug logs give you any more detail? I did run into an issue a while back where I had to change the hostnames in the url to the actual IP addresses as it was causing certificate failures....which produce the Faraday::SSLError message

zhaider · January 27, 2019, 6:07pm

I am already using actual IP addresses.

I don't see any additional information in the logstash-plain.log. I am not running with the --verbose or -debug options. Is there another log file I should be looking at that contains additional debug info?
I did see somewhere that the error logging was improved after 6.4.3 so I might just update the plugin version and see if it gives me a better error message.

Interestingly, I was helping out someone else use this filter plugin and they were seeing the same issue when running on a Mac OS connecting to the same ES cluster, but when I ran the exact same config from my RHEL 7.5 it works! So the plugin has no issue running from my RHEL machine but not from the RHEL logstash collector or from that person's OSX machine.

system · February 24, 2019, 6:07pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Problem with logstash-filter-elasticsearch when connecting to SSL enabled ES cluster Logstash	1	775	January 11, 2018
Logstash Elasticsearch filter Bad URI Exception Logstash	10	338	February 11, 2023
Elastic search filter plugin secured Logstash	2	475	April 12, 2018
Error connecting to secured ES cluster from logstash.filters.elasticsearch Logstash	1	626	May 31, 2019
Elasticsearch filter, ca_file problem Logstash	2	268	November 13, 2022

Logstash-filter-elasticsearch URI parsing error when ssl set to true

Related topics