Rsyslog logs stop when any security is enabled

I have installed ELK 7.17.10 with podman, it works until I turn on security, even minimal security seems to block rsyslog from being received. What am I missing?

Hello and welcome,

You need to provide more context.

How are you sending your data to Elasticsearch?

it is set up in the server producing the logs, and does work when no security is enabled...its only when any security, even the bare minimum, (passwords) is enabled in elk, the indices stop being produced

Blockquote

# elasticsearch
action(type="omelasticsearch"
    name="elasticsearch"
    dynSearchIndex="on"
    errorfile="/var/log/rsyslog/omelasticsearch.log"
    searchIndex="rsyslog-node-index"
    server="logs-devaron-dfw3.ole.redhat.com:9200"
    template="rsyslog-record"
    usehttps="off"

Going to give it a few more hours to see if the log rotation may give me something, maybe I am just unlucky in my timing. In the meantime is there anything I am missing when security is initially enable I may be missing? Makes no sense to me why it would not accept the logs into the server

So I waited and nothing, I turned off security and bam logs showed up
xpack.security.enabled: false
control01-devaron-dfw3.ole.redhat.com-2023.06.13

Where is the username and password to authenticate on Elasticsearch?

If you enable security every request needs to be authenticated.

I do not use rsyslog to send logs to Elasticsearch, so I'm not sure on how or if it is possible to configure it, but you need to specify username and password.

ah I see thanks!

Is it possible to wildcard or turn off user and password authentication?..all I want it transport layer talk between clusters so I can set up a single consolidation server.

I set the anonymous user with full inicies rights and can curl Elasticsearch from the clients, I am able to PUT logs into the index without issue but connection from rsyslog doesn't seem to be fully working. Whats weird is occasionally logs come in but it is not consistent. Should the anonymous basically bypass the need for a username and password? What am I missing?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.