Retrying http request, will sleep for X seconds

I configured my logstash.conf file properly in terms of URL and Authorization token however It's still not sending logs and giving me an http request failure like it's not able to communicate. I came to the conclusion that it might've been a certificate issue because when I use

Invoke-WebRequest -Uri "https://127.0.0.1:8088/services/collector" `
>>   -Headers @{"Authorization"="Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"} `
>>   -Method Post `
>>   -Body '{"event": "test event", "sourcetype": "json"}'

In powershell it sends the request and I get this back:

StatusCode        : 200
StatusDescription : OK
Content           : {"text":"Success","code":0}
RawContent        : HTTP/1.1 200 OK
                    X-Content-Type-Options: nosniff
                    Vary: Authorization
                    Connection: Keep-Alive
                    X-Frame-Options: SAMEORIGIN
                    Content-Length: 27
                    Content-Type: application/json; charset=UTF-8
                    Date: Sun...
Forms             : {}
Headers           : {[X-Content-Type-Options, nosniff], [Vary, Authorization], [Connection, Keep-Alive],
                    [X-Frame-Options, SAMEORIGIN]...}
Images            : {}
InputFields       : {}
Links             : {}
ParsedHtml        : System.__ComObject
RawContentLength  : 27

BUT only after I used

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

Because before that I was still getting errors. I don't know how to replicate this in the config file tho since I used ssl_certificate_verification => false and it still doesn't work

Here's my config:

input {
  beats {
    port => 5044
  }
}

output {
  http {
    url => "https://127.0.0.1:8088/services/collector"
    http_method => "post"
    format => "json"
    headers => {
      "Authorization" => "Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"
    ssl => true
    ssl_certificate_verification => false
    }
  }
}

I don't think the http output has every supported that option. logstash should not start up with that configuration.

The elasticsearch output used that option in the past, but both outputs now use ssl_verification_mode, which can be full or none.

Do you know what my issue could be then?

As I said, if you use ssl_certificate_verification => false in your configuration then logstash will fail to startup, and if it is not running then it will not be sending any logs to the destination.

If it is running then look at the logstash logs.

Well the error it was giving me was the failed http request, which is why I said it was ac communication issue which is why I tried to use that line. It didn't crash it though it ran fine besides that error which I was still getting before adding it in so I'm not sure what you're referring to.

My bad, I made an assumption about the configuration you posted without testing it, resulting in me diagnosing the wrong error!

You have

The problem there is that you included

ssl => true
ssl_certificate_verification => false

as headers, not as options on the output. If you reconfigure your pipeline as

output {
  http {
    url => "https://127.0.0.1:8088/services/collector"
    http_method => "post"
    format => "json"
    headers => {
      "Authorization" => "Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"
    }
    ssl => true
    ssl_certificate_verification => false
  }
}

You will get

[ERROR][logstash.outputs.http    ] Unknown setting 'ssl_certificate_verification' for http
[ERROR][logstash.outputs.http    ] Unknown setting 'ssl' for http

and

Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Unable to configure plugins: (ConfigurationError) Something is wrong with your configuration.",

If you change it to

output {
  http {
    url => "https://127.0.0.1:8088/services/collector"
    http_method => "post"
    format => "json"
    headers => {
      "Authorization" => "Splunk ac09103b-7f2e-4767-940d-c8bfa0a84e12"
    }
    ssl_enabled => true
    ssl_verification_mode => none

  }
}

then it should try to connect with TLS and ignore server certificate errors.

1 Like