Logstash monitoring security setup

We're trying to learn how to setup TLS on elastic. We have a 1 node stack with version 6.6.1, working on getting logstash setup. All output is in pipelines. Getting this error at startup:

[WARN ][logstash.outputs.elasticsearch] ** WARNING ** Detected UNSAFE options in elasticsearch output configuration!
** WARNING ** You have enabled encryption but DISABLED certificate verification.
** WARNING ** To make sure your data is secure change :ssl_certificate_verification to true

That seems to be the default and I don't have ssl_certificate_verification anywhere in the config (verified by grep -ri) . I think it may be from something in the xpack.monitoring config, but I have nothing there for verification either.

Any ideas?

Not sure what side is causing your error, so I will answer for both the input and the output.

For your input:

input { 
  tcp { 
    id => "blah"
    codec => "json"
    port => 5044
    type => "log-file"
    ssl_verify => true
    ssl_enable => true
    ssl_key => "/etc/logstash/logstash.key"
    ssl_cert => "/etc/logstash/logstash.crt"

For the output:

output {
	elasticsearch {
		ssl => true
		cacert => "/etc/logstash/cert.crt"
		hosts => [ "https://elasticsearch.com/URL:9200" ]
		ssl_certificate_verification => true
		codec => "json"
		action => "index"
		index => "%{indexname}"
		id => "log-file"

Hmm, now that I look at it, I think that you only need to add the ssl_certificate_verification => true to your output. But you would have to be using a verified cert.

Well, I had read the doc :-).... if you are using an "httpS" url, then ssl => becomes true based on the url and ssl_certificate_validation defaults to true, so I left them out.

Adding these to all my pipelines didn't eliminate the error.

Are your logs not making it to Elasticsearch?

You can try setting the ssl_certificate_verification => false
If you read the last message on this git issue it says that the traffic should still be going through:

I don't have SSL setup in my test environment right now, so I am not able to test this, but I do have it running in prod.

I honestly hadn't expected any traffic yet since I hadn't updated the beats for tls, but yes, there is traffic getting thru from winlogbeat test systems and monitoring data, so it's just a nag warning message and it appears to only happen at startup. If the pipelines are unhealthy, they can produce continuous messages.

At this point, I'm OK for my dev environment, when we get our contracts in place, I can open a support case :slight_smile:


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.