I was using logstash to ingest data into elasticearch. But now after enabling ssl to elasticsearch (using this) for using alerts & detections, Logstash is unable to connect elasticsearch.
Browser or curl command works alright for url, https://localhost:9200.
The logstash error I'm getting is:
[2021-04-08T11:00:03,536][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
elasticsearch log says:
[2021-04-08T12:22:42,176][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [ZBLR-ENGG-ABHIS] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9200, remoteAddress=/[0:0:0:0:0:0:0:1]:56792}
My logstash conf file:
input {
file {
path => "C:/Users/Abhishek S/Desktop/Data/httpd-access.log"
start_position => "beginning"
type => "apache-access"
sincedb_path => "NUL"
}
}
filter {
if [type] == "apache-access" {
grok {
match => { "message" => [ "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{USER:username} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:svn_path}(?: HTTP/%{NUMBER:http_version})?|%{DATA:svn_path})\" %{NUMBER:http_response} (?:%{NUMBER:content_length}|-)" ,
"%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{EMAILADDRESS:username} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:svn_path}(?: HTTP/%{NUMBER:http_version})?|%{DATA:svn_path})\" %{NUMBER:http_response} (?:%{NUMBER:content_length}|-)"
]
}
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
mutate {
remove_field => [ "http_version", "host", "path", "ident", "@version" ]
}
}
}
output {
elasticsearch {
hosts => "https://localhost:9200"
index => "httpd_analyis"
user => "elastic"
password => "elastic"
}
stdout { }
}
Please help me out.