Logstash unable to connect ssl enabled elasticsearch

I was using logstash to ingest data into elasticearch. But now after enabling ssl to elasticsearch (using this) for using alerts & detections, Logstash is unable to connect elasticsearch.

Browser or curl command works alright for url, https://localhost:9200.

The logstash error I'm getting is:

[2021-04-08T11:00:03,536][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://elastic:xxxxxx@localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://elastic:xxxxxx@localhost:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}

elasticsearch log says:

[2021-04-08T12:22:42,176][WARN ][o.e.x.s.t.n.SecurityNetty4HttpServerTransport] [ZBLR-ENGG-ABHIS] http client did not trust this server's certificate, closing connection Netty4HttpChannel{localAddress=/[0:0:0:0:0:0:0:1]:9200, remoteAddress=/[0:0:0:0:0:0:0:1]:56792}

My logstash conf file:

input {

    file {

        path => "C:/Users/Abhishek S/Desktop/Data/httpd-access.log"
        start_position => "beginning"
        type => "apache-access"
        sincedb_path => "NUL"

filter {

    if [type] == "apache-access" {

        grok {
            match => { "message" => [ "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{USER:username} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:svn_path}(?: HTTP/%{NUMBER:http_version})?|%{DATA:svn_path})\" %{NUMBER:http_response} (?:%{NUMBER:content_length}|-)" ,

                                      "%{IPORHOST:client_ip} %{HTTPDUSER:ident} %{EMAILADDRESS:username} \[%{HTTPDATE:timestamp}\] \"(?:%{WORD:http_method} %{NOTSPACE:svn_path}(?: HTTP/%{NUMBER:http_version})?|%{DATA:svn_path})\" %{NUMBER:http_response} (?:%{NUMBER:content_length}|-)"

        date {
            match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]

        mutate { 
            remove_field => [ "http_version", "host", "path", "ident", "@version" ] 


output {

    elasticsearch {

        hosts => "https://localhost:9200"
        index => "httpd_analyis"
        user => "elastic"
        password => "elastic"
    stdout { }

Please help me out.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.