Logstash ssl configuration for workspace search

Gunbay_Park · April 11, 2023, 11:21am

hi,
I set kibana and workplace search ssl and loaded index to workplace search by logstash.
Then error message occurred about ssl certification.
elasticsearch has phrase like below, but could't find about workplace search

output {
  elasticsearch {
    hosts => ["https://...] 
    cacert => '/etc/logstash/config/certs/ca.crt' 
  }
}

how can I send data to workplace search through ssl?

this is error log

[2023-04-11T17:45:18,879][ERROR][logstash.javapipeline    ][main] Pipeline error {:pipeline_id=>"main", :exception=>#<LogStash::ConfigurationError: Failed to connect to Workplace Search. certificate verify failed>, :backtrace=>["/home/search/logstash-8.5.3/vendor/bundle/jruby/2.6.0/gems/logstash-integration-elastic_enterprise_search-2.2.1/lib/logstash/outputs/elastic_workplace_search.rb:49:in `register'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:68:in `register'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:234:in `block in register_plugins'", "org/jruby/RubyArray.java:1865:in `each'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:233:in `register_plugins'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:600:in `maybe_setup_out_plugins'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:246:in `start_workers'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:191:in `run'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/java_pipeline.rb:143:in `block in start'"], "pipeline.sources"=>["/home/search/logstash-8.5.3/conf.d/km/km_knwl_list_ws.conf"], :thread=>"#<Thread:0x5da17cd2 run>"}
[2023-04-11T17:45:18,880][INFO ][logstash.javapipeline    ][main] Pipeline terminated {"pipeline.id"=>"main"}
[2023-04-11T17:45:18,894][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
[2023-04-11T17:45:22,022][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
[2023-04-11T17:45:22,024][WARN ][org.logstash.execution.AbstractPipelineExt] Metric registration error: `input_throughput` could not be registered in namespace `[:stats, :pipelines, :main, :flow]`
[2023-04-11T17:45:22,024][WARN ][org.logstash.execution.AbstractPipelineExt] Metric registration error: `filter_throughput` could not be registered in namespace `[:stats, :pipelines, :main, :flow]`
[2023-04-11T17:45:22,024][WARN ][org.logstash.execution.AbstractPipelineExt] Metric registration error: `output_throughput` could not be registered in namespace `[:stats, :pipelines, :main, :flow]`
[2023-04-11T17:45:22,024][WARN ][org.logstash.execution.AbstractPipelineExt] Metric registration error: `queue_backpressure` could not be registered in namespace `[:stats, :pipelines, :main, :flow]`
[2023-04-11T17:45:22,024][WARN ][org.logstash.execution.AbstractPipelineExt] Metric registration error: `worker_concurrency` could not be registered in namespace `[:stats, :pipelines, :main, :flow]`

and this is my logstash.conf

# KMDEV CoP input index to wsh
input {
  elasticsearch {
      hosts => ["http://192.168.150.140:9200"]
                 user => "elastic"
                 password => "ksearch"
      index => "km_knwl_list_attached"
     query => '{"query":{"match_all":{}}}'
#      query => '{
#                  "query":{
#                    "range":{
#                      "v_inputdate":{
#                        "gte":"20160101000000",
#                        "lt":"20240101000000"
#                     }
#                   }
#                  }
#               }'
  }
}

filter {
        date {
                match => ["v_inputdate", "yyyyMMddHHmmss","ISO8601"]
        }
}

output {
  stdout { codec =>  "dots"}

#  elasticsearch {
#    hosts => ["http://192.168.150.140:9200"]
#       user => "elastic"
#       password => "ksearch"
#    index => "km_cop_list_attach2"
#    document_id => "%{docid}"
#    pipeline => "kmdev_cop_attach"
#  }

  elastic_workplace_search {
    url => "https://192.168.150.140:3002"
    access_token => "9rzcot34tuymntzenhpnphbu"
    source => "642915ac6b0b6d963951e376"
    document_id => "%{docid}"
#    ssl => "true"
#    cacert => '/home/search/kibana-8.5.3/config/certs/elasticsearch-ca.pem'

  }
}

thank you for you help.

Sean_Story · April 11, 2023, 3:39pm

Hi @Gunbay_Park ,

Looking at the Logstash Workplace Search Output Plugin, there aren't explicit configurations for its SSL usage like there are for Elasticsearch. If you'd like, you could file a github issue in the github repo for this logstash plugin.

However, I have two options that may work as workarounds.

The first is to use a special environment variable that helps OpenSSL control where it finds certificates on your filesystem.

By setting:

export SSL_CERT_FILE=/path/to/ca.crt

and ensuring that the file is there, OpenSSL can find this cert, which should be picked up by Faraday (the ruby transport client), which should get picked up by the Workplace Search client that Logstash is using.

If that doesn't work, the next option is to find where the Ruby gem for Workplace Search is installed for your logstash deployment, and modify its source contents to replace its bundled certificate with your own. Then the Workplace Search client will be sure to pick up your client when it is setting up SSL.

Finally, the last option is to make sure the certificate being used by Workplace Search is signed by a standard Certificate Authority, and not a custom/internal one.

I hope one of those options will work for you!

Gunbay_Park · April 12, 2023, 11:48am

Thank you Sean,
I tried first way to add export phrase to logstash output configuration but it didn't work

(base) [search@datamine logstash-8.5.3]$ bin/logstash -f conf.d/gw/vi gw_bbs_list_ws_dev.conf
Using bundled JDK: /home/search/logstash-8.5.3/jdk
ERROR: Unknown command 'gw_bbs_list_ws_dev.conf'

See: 'bin/logstash --help'
[FATAL] 2023-04-12 20:30:12.044 [main] Logstash - Logstash stopped processing because of an error: (SystemExit) exit
org.jruby.exceptions.SystemExit: (SystemExit) exit
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:790) ~[jruby.jar:?]
        at org.jruby.RubyKernel.exit(org/jruby/RubyKernel.java:753) ~[jruby.jar:?]
        at home.search.logstash_minus_8_dot_5_dot_3.vendor.bundle.jruby.$2_dot_6_dot_0.gems.clamp_minus_1_dot_0_dot_1.lib.clamp.command.run(/home/search/logstash-8.5.3/vendor/bundle/jruby/2.6.0/gems/clamp-1.0.1/lib/clamp/command.rb:138) ~[?:?]
        at home.search.logstash_minus_8_dot_5_dot_3.lib.bootstrap.environment.<main>(/home/search/logstash-8.5.3/lib/bootstrap/environment.rb:90) ~[?:?]
(base) [search@datamine logstash-8.5.3]$

Then I should try second way to fix it, it doesn't look so easy for me.
If you can tell me more details about second way, I will appreciate that.

Sean_Story · April 12, 2023, 3:55pm

This looks to have failed because you typod your path to the logstash conf file. You command has an unquoted whitespace between conf.d/gw/vi and gw_bbs_list_ws_dev.conf

Yep, this is pretty "advanced." If you don't have confidence in this approach, it may not be a good one for you to take.
You'd need to look at your logstash deployment, and figure out where the Ruby Gems are installed that it is utilizing. Then you'd need to change the underlying ruby code in those gems. I can't provide you explicit instructions because the locations depend on how you're deploying logstash.

Gunbay_Park · April 12, 2023, 11:20pm

sorry, I posted wrong command image.
I ran what you suggested first again.
You mean I 'd add export phrase on logsatsh configuration. right?
Then I got message like below.
It says this expression is not right.
And I tried other expressions like '=>' and didn't work .
did I do somethin wrong?

input {
  elasticsearch {
      hosts => ["http://192.168.150.140:9200"]
                 user => "elastic"
                 password => "ksearch"
      index => "gw_bbs_list_attach_dev"
     query => '{"query":{"match_all":{}}}'
  }
}



output {
  stdout { codec =>  "dots"}


  elastic_workplace_search {
    url => "https://192.168.150.140:3002"
    access_token => "9rzcot34tuymntzenhpnphbu"
    source => "64293bfa6b0b6ddd4058ec3c"
    document_id => "%{article_id}"
    export SSL_CERT_FILE = "/home/search/kibana-8.5.3/config/certs/kibana-server.crt"
  }
}

[2023-04-13T08:09:21,059][ERROR][logstash.agent           ] Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, 
:exception=>"LogStash::ConfigurationError", :message=>"Expected one of [ \\t\\r\\n], \"#\", \"=>\" at line 52, column 12 (byte 1353) after output
 {\n  stdout { codec =>  \"dots\"}\n\n#  elasticsearch {\n#    hosts => [\"http://192.168.150.140:9200\"]\n#\tuser => \"elastic\"\n#\tpassword => \"ksearch\"\n#
    index => \"km_cop_list_attach2\"\n#    document_id => \"%{docid}\"\n#    pipeline => \"kmdev_cop_attach\"\n#  }\n\n  elastic_workplace_search 
{\n    url => \"https://192.168.150.140:3002\"\n    access_token => \"9rzcot34tuymntzenhpnphbu\"  
\n    source => \"64293bfa6b0b6ddd4058ec3c\"\n    document_id => \"%{article_id}\"\n    export ", 
:backtrace=>["/home/search/logstash-8.5.3/logstash-core/lib/logstash/compiler.rb:32:in 
`compile_imperative'", "org/logstash/execution/AbstractPipelineExt.java:182:in `initialize'", 
"org/logstash/execution/JavaBasePipelineExt.java:72:in `initialize'", "/home/search/logstash-
8.5.3/logstash-core/lib/logstash/java_pipeline.rb:48:in `initialize'", "org/jruby/RubyClass.java:911
:in `new'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/pipeline_action/create.rb:50
:in `execute'", "/home/search/logstash-8.5.3/logstash-core/lib/logstash/agent.rb:386:in `block in converge_state'"]}

leandrojmp · April 13, 2023, 2:15am

Gunbay_Park:

  elastic_workplace_search {
    url => "https://192.168.150.140:3002"
    access_token => "9rzcot34tuymntzenhpnphbu"
    source => "64293bfa6b0b6ddd4058ec3c"
    document_id => "%{article_id}"
    export SSL_CERT_FILE = "/home/search/kibana-8.5.3/config/certs/kibana-server.crt"
  }

You should remove this export SSL_CET_FILE line from the configuration, this does not exist.

What you need to run this command before you run logstash, something like this:

$ export SSL_CERT_FILE="/home/search/kibana-8.5.3/config/certs/kibana-server.crt"
$ bin/logstash -f path-to-your-config

Or even using

$ SSL_CERT_FILE = "/home/search/kibana-8.5.3/config/certs/kibana-server.crt" bin/logstash -f path-to-your-config

But this only works if you always run Logstash by command line, if you are running it as a service you need to add the below line in /etc/default/logstash or /etc/sysconfig/logstash depending on your linux distribution:

SSL_CERT_FILE = "/home/search/kibana-8.5.3/config/certs/kibana-server.crt"

Gunbay_Park · April 14, 2023, 1:38am

Thank you Leandro.
I confused where to run those commands. Forgive my ignorance.
I followed what you said in linux command line and run logstash with many certificates
but error message still says
"Failed to connect to Workplace Search. certificate verify failed"

Is it needed logstash develope team's function add to plug-in?

Hope you nice day.

system · May 12, 2023, 1:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash is not able to connect to workplace search Logstash	1	183	May 21, 2023
Logstash to Elasticsearch connectivity issue after configuring SSL Elasticsearch	3	1636	April 16, 2019
Enterprise Search - Configure Kibana to trust your SSL CA Elastic Search	3	428	August 3, 2022
Sending data from logstash to ElasticSearch (ECK): Certificate issue Logstash	1	393	April 30, 2021
Ssl not working in elasticsearch input plugin Logstash	2	2134	March 5, 2021

Logstash ssl configuration for workspace search

Related Topics