Logstash is not able to connect to ELasticsearch

Aboli_77 · August 23, 2021, 9:46am

I am trying to run logstash but getting below error:

./logstash -f /etc/logstash/conf.d/abc.conf
WARNING: Could not find logstash.yml which is typically located in $LS_HOME/config or /etc/logstash. You can specify the path using --path.settings. Continuing using the defaults
Could not find log4j2 configuration at path /opt/logstash/config/log4j2.properties. Using default config which logs errors to the console
[WARN ] 2021-08-23 02:30:48.978 [LogStash::Runner] multilocal - Ignoring the 'pipelines.yml' file because modules or command line options are specified
[INFO ] 2021-08-23 02:30:48.993 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"6.8.6"}
[INFO ] 2021-08-23 02:30:57.957 [Converge PipelineAction::Create<main>] pipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>20, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50}
[INFO ] 2021-08-23 02:30:58.497 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://elastic:xxxxxx@xxxxxx.xxx.xxx:9200/, https://elastic:xxxxxx@nj2pelkap02.dmz.lava:9200/, https://elastic:xxxxxx@xxxxxx.xxx.xxx:9200/, https://elastic:xxxxxx@nj2pelkap04.dmz.lava:9200/]}}
[WARN ] 2021-08-23 02:30:58.968 [[main]-pipeline-manager] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@xxxxxx.xxx.xxx:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@xxxxxx.xxx.xxx:9200/][Manticore::ClientProtocolException] Received fatal alert: handshake_failure"}

type or paste code here

warkolm · August 23, 2021, 9:59am

Can you curl nj2pelkap04.dmz.lava:9200 from the Logstash host?

Aboli_77 · August 23, 2021, 10:06am

curl: (52) Empty reply from server

warkolm · August 23, 2021, 10:07am

Can you connect to Elasticsearch at all from elsewhere?

Aboli_77 · August 23, 2021, 10:09am

I am able to launch Kibana URL from one of the servers (Kibana is configured on only one server). ES is on 4 servers: 3 master node 1 data node

Aboli_77 · August 23, 2021, 4:48pm

I have just now opened elasticsearch.log and found error like  below:
caught exception while handling client http traffic, closing connection [id: 0xda4a5c2f, L:0.0.0.0/0.0.0.0:92
00 ! R:/10.99.97.91:34642]
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-codec-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434) [netty-transport-4.1.32.Final.jar:4.1.32.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerCont`Preformatted text`

liuliugang · August 24, 2021, 10:05am

This problem may occur when you use the configuration method of official documents, which I have encountered before

Aboli_77 · August 24, 2021, 10:58am

What did you try to solve the problem?

leandrojmp · August 24, 2021, 12:16pm

This is TLS error, it seems to be a certificate issue.

What is your elasticsearch output in the logstash config you are using? Please share it.

Aboli_77 · August 26, 2021, 5:10am

 output {  
if "_grokparsefailure" not in [tags] and "_dateparsefailure" not in [tags]{
	elasticsearch {
      hosts => ["https://aaaaaaaaa:9200", "https://bbbbbbbbbb:9200", "https://ccccccccc:9200", "https://dddddddddd:9200"] 
      manage_template => false
      ssl => true
      ssl_certificate_verification => true
      #cacert => "/etc/logstash/ssl/cacerts/abcd.pem"
	  cacert => '/etc/logstash/ssl/certs/ca/ca.crt' 
      user => "logstash_writer"
      password => "${logstash.writer.password}"
    }
 }
 }

liuliugang · August 27, 2021, 2:40am

You can try extracting the logstash certificate for ES with the following command
Then replace ca.cart with logstash.pem

openssl pkcs12 -in elastic-stack-ca.p12 -clcerts -nokeys > logstash.cer
openssl x509 -in logstash.cer -out logstash.pem -days 1095

Aboli_77 · August 27, 2021, 7:30am

openssl pkcs12 -in elastic-stack-ca.p12 -clcerts -nokeys > logstash.cer

Error opening input file elastic-stack-ca.p12

elastic-stack-ca.p12: No such file or directory

liuliugang · September 2, 2021, 1:07am

This is a relative path, or you can use an absolute path

system · September 30, 2021, 1:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.