Hi,
I'm having serious issues when trying to query data from SSL enabled ES cluster.
By serious issues, I mean that I have tried different parameters, adding and removing protocol and port from hosts-array etc etc for hours now. No cigar.
My config looks like this:
elasticsearch { ca_file => "/etc/logstash/ssl/ca.crt" fields => { "client_ip" => "client_ip" "client_mac" => "client_mac" "hostname" => "hostname" } hosts => [ "analyzer03.company.tld" ] index => "company-dhcp-2017.12" query => "(client_ip:%{src_ip} AND (ID:10 OR ID:11)) OR (client_ip:%{dst_ip} AND (ID:10 OR ID:11))" ssl => true user => "user1" password => "hunter2"
It produces this error in log:
[logstash.filters.elasticsearch] New Elasticsearch filter client {:hosts=>[{:host=>"analyzer03.company.tld", :scheme=>"https"}]}
[logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"company-dhcp-2017.12", :query=>"(client_iplient_ip:111.111.11.111 AND (ID:10 OR ID:11)) OR (client_ip:222.222.22.2 AND (ID:10 OR ID:11))", :event=>blablablabla", :error=>#<URI::InvalidURIError: the scheme https does not accept registry part: analyzer03.company.tld:https (or bad hostname?)>}
I have tried:
analyzer03
analyzer03.company.tld
https://analyzer03.company.tld
All of those with and without port as suffix (:9200)
Only one combination produced different error:
With this host setting:
https://analyzer03.company.tld:9200
I managed to produce this error:
error=>#Faraday::ConnectionFailed
When looking at Elasticsearch logs, there are no messages relating to this traffic.
Hostname resolves correctly, both analyzer03 and analyzer03.company.tld (they are defined in /etc/hosts) and I can use curl to connect to the cluster just fine.
Any help would be appreciated!