Problem with logstash-filter-elasticsearch when connecting to SSL enabled ES cluster

Hi,

I'm having serious issues when trying to query data from SSL enabled ES cluster.
By serious issues, I mean that I have tried different parameters, adding and removing protocol and port from hosts-array etc etc for hours now. No cigar.

My config looks like this:

    elasticsearch {
      ca_file => "/etc/logstash/ssl/ca.crt"
      fields => {
        "client_ip" => "client_ip"
        "client_mac" => "client_mac"
        "hostname" => "hostname"
      }
      hosts => [ "analyzer03.company.tld" ]
      index => "company-dhcp-2017.12"
      query => "(client_ip:%{src_ip} AND (ID:10 OR ID:11)) OR (client_ip:%{dst_ip} AND (ID:10 OR ID:11))"
      ssl => true
      user => "user1"
      password => "hunter2"

It produces this error in log:
[logstash.filters.elasticsearch] New Elasticsearch filter client {:hosts=>[{:host=>"analyzer03.company.tld", :scheme=>"https"}]}
[logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"company-dhcp-2017.12", :query=>"(client_iplient_ip:111.111.11.111 AND (ID:10 OR ID:11)) OR (client_ip:222.222.22.2 AND (ID:10 OR ID:11))", :event=>blablablabla", :error=>#<URI::InvalidURIError: the scheme https does not accept registry part: analyzer03.company.tld:https (or bad hostname?)>}

I have tried:
analyzer03
analyzer03.company.tld
https://analyzer03.company.tld

All of those with and without port as suffix (:9200)

Only one combination produced different error:
With this host setting:

https://analyzer03.company.tld:9200
I managed to produce this error:
error=>#Faraday::ConnectionFailed

When looking at Elasticsearch logs, there are no messages relating to this traffic.

Hostname resolves correctly, both analyzer03 and analyzer03.company.tld (they are defined in /etc/hosts) and I can use curl to connect to the cluster just fine.

Any help would be appreciated!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.