Lostash and arcsight integration

sidhesh_kumar · September 3, 2020, 6:26pm

unable to configure smart connector on logstash

content of logstash.yml

modules:

name: arcsight
var.input.eventbroker.bootstrap_servers: "XXXX.XXXXXX.XXXXX:1515"
var.input.eventbroker.topics: "eb_topic"
var.elasticsearch.hosts: "10.XXX.XXX.XXX:9200"
var.elasticsearch.username: "
var.elasticsearch.password: "pass"
var.kibana.host: "10.XXX.XXX.XXX:443"
var.kibana.username: "<user">
var.kibana.password: "pass"

i am getting below error while setting up arcsight module

[2020-09-03T20:04:58,280][INFO ][logstash.config.modulescommon] Setting up the arcsight module
[2020-09-03T20:04:58,605*][ERROR][logstash.modules.kibanaclient] Error when executing Kibana client request {:error=>#<Manticore::ClientProtocolException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}*
[2020-09-03T20:04:58,744][ERROR][logstash.modules.kibanaclient] Error when executing Kibana client request {:error=>#<Manticore::ClientProtocolException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}
[2020-09-03T20:04:58,846][ERROR][logstash.config.sourceloader] Could not fetch all the sources {:exception=>LogStash::ConfigLoadingError, :message=>"Failed to import module configurations to Elasticsearch and/or Kibana. Module: arcsight has Elasticsearch hosts: ["XX.XXXX.XXXX:9200"] and Kibana hosts: ["XX.XXXX.XXXX:443"]", :backtrace=>["/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/config/modules_common.rb:108:in block in pipeline_configs'", "org/jruby/RubyArray.java:1814:in each'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/config/modules_common.rb:54:in pipeline_configs'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/config/source/modules.rb:14:in pipeline_configs'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/config/source_loader.rb:61:in block in fetch'", "org/jruby/RubyArray.java:2575:in collect'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/config/source_loader.rb:60:in fetch'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/agent.rb:149:in converge_state_and_update'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/agent.rb:97:in execute'", "/tools/logstash/logstash-7.6.2/logstash-core/lib/logstash/runner.rb:369:in block in execute'", "/tools/logstash/logstash-7.6.2/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/task.rb:24:in `block in initialize'"]}

Badger · September 3, 2020, 6:41pm

OK, so it is unable to validate the certificate that is served by the kibana instance. Try setting var.kibana.ssl.certificate_authority, I believe that wants a .crt file.

sidhesh_kumar · September 4, 2020, 5:04am

appreciate you response @badger , should i put this variable in logstash.yml file?

sidhesh_kumar · September 4, 2020, 5:09am

also , i am not sure if i need to create any logstash.conf file after the archsight module is created on logstash , if so then what would be the content of that would look like , i know how to configure input output section for filebeat listeners but for this i have no idea.
i want to create a CEF listner on port 1515
so the steps would be??

start arcsight module ??
create logstash.conf file ??
please guide me here.

Badger · September 4, 2020, 1:23pm

Yes.

sidhesh_kumar · September 4, 2020, 1:38pm

@Badger can you help above query

Badger · September 4, 2020, 1:57pm

No, I have never used modules.

sidhesh_kumar · September 10, 2020, 11:39am

hi @Badger i think this is due to licencing issue
curl -u user:pass -X POST "HOST:9200/_license/start_basic?pretty"
{ "acknowledged" : true, "basic_was_started" : false, "error_message" : "Operation failed: Current license is basic." }
what does this response means. is my basic license started , i see its installed but how can i start it , it fails .

curl -u user:pass -X GET "HOST:9200/_xpack/license"
{ "license" : { "status" : "active", "uid" : "0ead494d-da2a-4d5e-99bb-d8f0a997576e", "type" : "basic", "issue_date" : "2020-06-14T14:44:14.396Z", "issue_date_in_millis" : 1592145854396, "max_nodes" : 1000, "issued_to" : "elasticsearch", "issuer" : "elasticsearch", "start_date_in_millis" : -1 } }

sidhesh_kumar · September 10, 2020, 12:04pm

i also see GET /_license/basic_status, how can i fix this, i am using basic license

{ "eligible_to_start_basic": false }

sidhesh_kumar · October 2, 2020, 10:10am

i just needed to use tcp input in logstash pipeline , its resolved

system · October 30, 2020, 10:10am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.