Problem with logstash-filter-elasticsearch when connecting to SSL enabled ES cluster


I'm having serious issues when trying to query data from SSL enabled ES cluster.
By serious issues, I mean that I have tried different parameters, adding and removing protocol and port from hosts-array etc etc for hours now. No cigar.

My config looks like this:

    elasticsearch {
      ca_file => "/etc/logstash/ssl/ca.crt"
      fields => {
        "client_ip" => "client_ip"
        "client_mac" => "client_mac"
        "hostname" => "hostname"
      hosts => [ "" ]
      index => "company-dhcp-2017.12"
      query => "(client_ip:%{src_ip} AND (ID:10 OR ID:11)) OR (client_ip:%{dst_ip} AND (ID:10 OR ID:11))"
      ssl => true
      user => "user1"
      password => "hunter2"

It produces this error in log:
[logstash.filters.elasticsearch] New ElasticSearch filter client {:hosts=>[{:host=>"", :scheme=>"https"}]}
[logstash.filters.elasticsearch] Failed to query elasticsearch for previous event {:index=>"company-dhcp-2017.12", :query=>"(client_iplient_ip: AND (ID:10 OR ID:11)) OR (client_ip: AND (ID:10 OR ID:11))", :event=>blablablabla", :error=>#<URI::InvalidURIError: the scheme https does not accept registry part: (or bad hostname?)>}

I have tried:

All of those with and without port as suffix (:9200)

Only one combination produced different error:
With this host setting:
I managed to produce this error:

When looking at Elasticsearch logs, there are no messages relating to this traffic.

Hostname resolves correctly, both analyzer03 and (they are defined in /etc/hosts) and I can use curl to connect to the cluster just fine.

Any help would be appreciated!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.