【Logstash】The output configuration of logstash cannot connect to the elasticsearch

Roy176 · February 15, 2023, 2:33am

I build a single-node of elasticsearch on GCP and a logstash on the local side. I want to connect the output configuration of logstash to elasticsearch.

Info:
Elasticsearch、Kibana、Logstash: 8.6.1.
I set up an extenal IP on GCP via static.

1. Create CA
1-1. Create ssl.yml

vi ssl.yml

instances:
  - name: "poc-elk"
    ip:
      - "<GCP_External_IP>"
      - "<GCP_Internal_IP>"
      - "<Local_logstash_IP>"
    dns:
      - "<GCP_hostname>"
      - "<Local_hostname>"

1-2. Create ca

/usr/share/elasticsearch/bin/elasticsearch-certgen --dn 'CN=elk-ca' --days 7300 --keysize 4096 --in /etc/elasticsearch/certs/ssl.yml --out /etc/elasticsearch/certs/ssl.zip

1-3. unzip ssl.zip and the catalog structure.

Archive:  ssl.zip
   creating: ca/
  inflating: ca/ca.crt               
  inflating: ca/ca.key               
   creating: poc-elk/
  inflating: poc-elk/poc-elk.crt     
  inflating: poc-elk/poc-elk.key

2. elasticsearch.yml on GCP

cluster.name: elk 
node.name: node-1
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  key: /etc/elasticsearch/poc-elk.key
  certificate: /etc/elasticsearch/poc-elk.crt
  certificate_authorities: /etc/elasticsearch/ca.crt
cluster.initial_master_nodes: ["node-1"]
http.host: 0.0.0.0

3. logstash.yml on local side

node.name: lgs
path.data: /var/lib/logstash
path.logs: /var/log/logstash

4. logstash output

less /etc/logstash/conf.d/file-test.conf

input{
    file{
        path => "/etc/logstash/conf.d/file-test.txt"
    }
}
output{
    elasticsearch{
        hosts => ["<GCP_External_IP>:9200"]
        user => "elastic"
        password => "<MyPass>"
        ssl => true
        cacert => "/etc/logstash/certs/ca.crt"
    }
}

Test:

echo -n  "test123" > /etc/logstash/conf.d/file-test.txt

5. Logstash Error messages

less /var/log/logstash/logstash-plain.log

[2023-02-14T17:49:48,450][INFO ][logstash.outputs.elasticsearch][file-test] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}
[2023-02-14T17:49:48,462][WARN ][logstash.outputs.elasticsearch][file-test] Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://elastic:xxxxxx@<GCP_External_IP>:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://<GCP_External_IP>:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
[2023-02-14T17:49:48,749][WARN ][org.logstash.execution.ShutdownWatcherExt] {"inflight_count"=>0, "stalling_threads_info"=>{"other"=>[{"thread_id"=>34, "name"=>"[file-test]>worker0", "current_call"=>"[...]/vendor/bundle/jruby/2.6.0/gems/stud-0.0.23/lib/stud/interval.rb:95:in `sleep'"}, {"thread_id"=>35, "name"=>"[file-test]>worker1", "current_call"=>"[...]/vendor/bundle/jruby/2.6.0/gems/stud-0.0.23/lib/stud/interval.rb:95:in `sleep'"}]}}

Rios · February 15, 2023, 6:04am

[quote="Roy176, post:1, topic:325523"][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}`
[/quote]
You have issue with keys.

  creating: ca/
  inflating: ca/ca.crt               
  inflating: ca/ca.key               
   creating: poc-elk/
  inflating: poc-elk/poc-elk.crt     
  inflating: poc-elk/poc-elk.key

The poc ca files were extracted in a subdirectory.

Should be or move the ca files in /etc/elasticsearch/:

  key: /etc/elasticsearch/poc-elk/poc-elk.key
  certificate: /etc/elasticsearch/poc-elk/poc-elk.crt
  certificate_authorities: /etc/elasticsearch/poc-elk/ca.crt

Roy176 · February 15, 2023, 7:29am

@Rios
Thanks for your reply. The error message is on the local site logstash, so I don't think changing the location of the elasticsearch certificate on GCP is valid.

bshaw · February 15, 2023, 8:47pm

I think the 2nd line of your Logstash error messages may be your problem, "Elasticsearch Unreachable: [https://<GCP_External_IP>:9200/]".

From your Logstash host, can you manually curl to that URL using the "-v" and "-k" options? The "-k" skips certificate checks and assumes they are valid.

So, that should tell you whether it is routing or certificates or something else.

system · March 15, 2023, 8:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to connect Logstash with Elastic Cloud Elasticsearch via https Logstash	11	2204	June 14, 2018
Logstash to elastic output SSL Logstash	11	5935	February 21, 2018
Logstash to Elasticsearch over SSL Configuration Logstash	3	13072	November 16, 2017
How to authenticate Logstash output to a secure Elasticsearch URL (version 5.6.5) Logstash	3	2073	April 3, 2018
Logstash output to Elasticsearch SSL 6.3 issue Logstash elastic-stack-security	2	760	January 2, 2019

【Logstash】The output configuration of logstash cannot connect to the elasticsearch

Related topics