Rsyslog logs stop when any security is enabled

Ryan_Caputo · June 13, 2023, 12:19pm

I have installed ELK 7.17.10 with podman, it works until I turn on security, even minimal security seems to block rsyslog from being received. What am I missing?

leandrojmp · June 13, 2023, 1:05pm

Hello and welcome,

You need to provide more context.

How are you sending your data to Elasticsearch?

Ryan_Caputo · June 13, 2023, 6:47pm

it is set up in the server producing the logs, and does work when no security is enabled...its only when any security, even the bare minimum, (passwords) is enabled in elk, the indices stop being produced

Blockquote

# elasticsearch
action(type="omelasticsearch"
    name="elasticsearch"
    dynSearchIndex="on"
    errorfile="/var/log/rsyslog/omelasticsearch.log"
    searchIndex="rsyslog-node-index"
    server="logs-devaron-dfw3.ole.redhat.com:9200"
    template="rsyslog-record"
    usehttps="off"

Going to give it a few more hours to see if the log rotation may give me something, maybe I am just unlucky in my timing. In the meantime is there anything I am missing when security is initially enable I may be missing? Makes no sense to me why it would not accept the logs into the server

Ryan_Caputo · June 13, 2023, 8:46pm

So I waited and nothing, I turned off security and bam logs showed up
xpack.security.enabled: false
control01-devaron-dfw3.ole.redhat.com-2023.06.13

leandrojmp · June 13, 2023, 10:30pm

Ryan_Caputo:

# elasticsearch
action(type="omelasticsearch"
    name="elasticsearch"
    dynSearchIndex="on"
    errorfile="/var/log/rsyslog/omelasticsearch.log"
    searchIndex="rsyslog-node-index"
    server="logs-devaron-dfw3.ole.redhat.com:9200"
    template="rsyslog-record"
    usehttps="off"

Where is the username and password to authenticate on Elasticsearch?

If you enable security every request needs to be authenticated.

I do not use rsyslog to send logs to Elasticsearch, so I'm not sure on how or if it is possible to configure it, but you need to specify username and password.

Ryan_Caputo · June 14, 2023, 3:52am

ah I see thanks!

Ryan_Caputo · June 21, 2023, 9:22pm

Is it possible to wildcard or turn off user and password authentication?..all I want it transport layer talk between clusters so I can set up a single consolidation server.

Ryan_Caputo · June 28, 2023, 2:04pm

I set the anonymous user with full inicies rights and can curl Elasticsearch from the clients, I am able to PUT logs into the index without issue but connection from rsyslog doesn't seem to be fully working. Whats weird is occasionally logs come in but it is not consistent. Should the anonymous basically bypass the need for a username and password? What am I missing?

system · July 26, 2023, 2:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cannot log to logstash when xpack security is enabled Logstash elastic-stack-security	9	415	September 1, 2020
Elasticsearch seems not to receive logs from logstash Logstash	1	197	June 29, 2021
ELK security 401 Elasticsearch elastic-stack-security , docker	3	856	October 27, 2021
Unable to send logs to elasticsearch from .Net 8 using serilog when security is enabled Elasticsearch elastic-stack-security	3	524	April 24, 2024
Rsyslog with redis => ELK is not showing any logs Kibana	2	353	March 17, 2022

Rsyslog logs stop when any security is enabled

Related topics