Logstash SSL configuration problem

Aljaz_Gantar · May 6, 2016, 12:09pm

Okei so i have this case:
I have tree server which are running the whole stack, and they are set up so:
Filebeat => Logstash => Elasticsearch/Kibana

And I successfully configured that the Filebeat sends logs from his server all too the Elasticksearch/Kibana without any security. But now I would like to use SSL to secure the connection between those servers. What I did so far I could create a self signed certificate on the Logstash server and copied the Filebeat server so that he can verify that thats the correct server so Filebeat => Logstash works. What I could not get to working is Logstash => Elasticsearch/kibana It writes an error in the logs really late, like it waits filebeat to first send the logs and than it gets and error.

So my question is, how do I correctly configure that Logstash so it can communicate with the Elasticsearch/kibana sever with SSL correctly?

So here is my config from Logstash:

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

output {
elasticsearch {
hosts => "123.123.123:9200" #please ignore the random IP
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
ssl => true
ssl_certificate_verification => true
}
}

Here is part of the errorlog:

{:timestamp=>"2016-05-06T12:06:20.808000+0000", :message=>"Attempted to send a bulk request to Elasticsearch configured at '["https://12.12.12.12:9200/"]', but an error occurred and it failed! Are you sure you can reach elasticsearch from this machine using the configuration provided?", :client_config=>{:hosts=>["https://12.12.12.12:9200/"], :ssl=>{}, :transport_options=>{:socket_timeout=>0, :request_timeout=>0, :proxy=>nil, :ssl=>{}}, :transport_class=>Elasticsearch::Transport::Transport::HTTP::Manticore, :logger=>nil, :tracer=>nil, :reload_connections=>false, :retry_on_failure=>false, :reload_on_failure=>false, :randomize_hosts=>false}, :error_message=>"SSL peer shut down incorrectly", :error_class=>"Manticore::ClientProtocolException", :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:35:in initialize'", "org/jruby/RubyProc.java:271:incall'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:70:in call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:245:incall_once'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:148:in code'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/http/manticore.rb:71:inperform_request'", "org/jruby/RubyProc.java:271:in call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/base.rb:191:inperform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/http/manticore.rb:54:in perform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/client.rb:119:inperform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-api-1.0.14/lib/elasticsearch/api/actions/bulk.rb:87:in bulk'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:56:inbulk'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:353:in submit'", "org/jruby/ext/thread/Mutex.java:149:insynchronize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:350:in submit'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:382:inflush'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.22/lib/stud/buffer.rb:219:in buffer_flush'", "org/jruby/RubyHash.java:1342:ineach'", java/lib/logstash/outputs/elasticsearch.rb:343:in receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/outputs/base.rb:80:inhandle'", "(eval):22:in output_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:252:inoutputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:169:in `start_outputs'"], :level=>:error}

mnhan · May 6, 2016, 1:12pm

Is elasticsearch running shield or running behind a ssl proxy? If not elasticsearch isn't using ssl so your logstash config to output to es will error.

Aljaz_Gantar · May 6, 2016, 1:24pm

my Elasticsearch/kibana is runing nginx with SSL yes.

mnhan · May 6, 2016, 1:28pm

then your output host should point to the proxy address and not es on 9200, it should be https://<proxy>/<proxy location> . You may also need certificate to be configure in the elasticsearch output section.

Aljaz_Gantar · May 6, 2016, 2:50pm

So you mean like:

output {
elasticsearch {
hosts => "https:domain.com:443"

?

mnhan · May 6, 2016, 3:12pm

If you are are proxying elasticsearch:9200 at / then yes you can configure it that way.

and hosts would be hosts => "https://esserver:443" or just "https://esserver"

Aljaz_Gantar · May 9, 2016, 9:13am

So I tried to do it like you said, just writing the domainname too hosts but than I got an Ruby error, so than I tried to enter the certificates from my Elasticsearch/Kibana server and after that I got another shorter error.

timestamp=>"2016-05-09T09:12:20.383000+0000", :message=>"The error reported is: \n undefined method `toCharArray' for nil:NilClass"

This is my config now:
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

output {
elasticsearch {
hosts => "https://domain.com"
ssl => true
keystore => /etc/logstash/ssl/somecerts.key
truststore => /etc/logstash/ssl/somecerts.crt
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

Aljaz_Gantar · May 9, 2016, 11:58am

Okei, I found another documentation and tried it this way:

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

output {
elasticsearch {
hosts => "https://domain.com"
ssl => true
cacert => '/etc/logstash/ssl/cert.pem'
manage_template => false
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
document_type => "%{[@metadata][type]}"
}
}

but than I got this error:
timestamp=>"2016-05-09T11:58:06.268000+0000", :message=>"Failed to flush outgoing items", :outgoing_count=>1, :exception=>"Manticore::ClientProtocolException", :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:35:in initialize'", "org/jruby/RubyProc.java:271:incall'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:70:in call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:245:incall_once'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/manticore-0.4.4-java/lib/manticore/response.rb:148:in code'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/http/manticore.rb:71:inperform_request'", "org/jruby/RubyProc.java:271:in call'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/base.rb:191:inperform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/transport/http/manticore.rb:54:in perform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-transport-1.0.14/lib/elasticsearch/transport/client.rb:119:inperform_request'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/elasticsearch-api-1.0.14/lib/elasticsearch/api/actions/bulk.rb:87:in bulk'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch/http_client.rb:56:inbulk'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:353:in submit'", "org/jruby/ext/thread/Mutex.java:149:insynchronize'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:350:in submit'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:382:inflush'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.22/lib/stud/buffer.rb:219:in buffer_flush'", "org/jruby/RubyHash.java:1342:ineach'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.22/lib/stud/buffer.rb:216:in buffer_flush'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/stud-0.0.22/lib/stud/buffer.rb:159:inbuffer_receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-2.1.2-java/lib/logstash/outputs/elasticsearch.rb:343:in receive'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/outputs/base.rb:80:inhandle'", "(eval):22:in output_func'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:252:inoutputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.0.0-java/lib/logstash/pipeline.rb:169:in `start_outputs'"], :level=>:warn

mnhan · May 9, 2016, 1:52pm

Are there any errors that you see in the elasticsearch logs. Logstash isn't able to send all the data to elasticsearch.

Aljaz_Gantar · May 10, 2016, 7:41am

This is something to do with the SSL connection, I dont know what?

Could you please give me a example how do I do the SSL connection to my domain with certificates.
Lets just say my domain is https://domain.com and have the certificates from nginx in /etc/pki/ssl/cert.crt/cert.key

How should I configure than my output { ??

Bhavana · February 1, 2017, 5:14pm

Hello ,

I am facing the similar issue now,

ES version - 2.3.5 , Logstash - 2.4

'Attempted to send bulk request to Elasticsearch, configured at ["xxxx.com:9200"] , An error occurred and it failed! Are you sure you can reach elasticsearch from this machine using the configuration provided ? "SSL peer shut down incorrectly", Manticore::ClientProtocolException logstash"'

My logstash Output section:

output
{
stdout { codec => rubydebug }
stdout { codec => json }
elasticsearch
{
user => "xxxx"
password => "xxx"
index => "wrike_jan"
document_type => "data"
hosts => ["xxxx.com:9200"]
ssl => true
ssl_certificate_verification => false
truststore => "elasticsearch-2.3.5/config/truststore.jks"
truststore_password => "83dfcdddxxxxx"
}
}
Logstash file is executed , but it is failing to send the data to ES.

could you please suggest , thank you