When security is disabled, they are talking via tcp (10. is the remote host sending rsyslog to elk and the 3. is the elk server).....
21:50:01.334042 tun0 Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [S], seq 520455032, win 64800, options [mss 1350,sackOK,TS val 1111856841 ecr 0,nop,wscale 7], length 0
21:50:01.388741 tun0 In IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [S.], seq 3257028177, ack 520455033, win 62643, options [mss 1350,sackOK,TS val 3883257497 ecr 1111856841,nop,wscale 7], length 0
21:50:01.388765 tun0 Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [.], ack 1, win 507, options [nop,nop,TS val 1111856896 ecr 3883257497], length 0
21:50:01.388909 tun0 Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [P.], seq 1:111, ack 1, win 507, options [nop,nop,TS val 1111856896 ecr 3883257497], length 110
21:50:01.449930 tun0 In IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [.], ack 111, win 489, options [nop,nop,TS val 3883257557 ecr 1111856896], length 0
21:50:01.449944 tun0 Out IP 10.226.28.173.53286 > 3.133.215.55.5044: Flags [P.], seq 111:1112, ack 1, win 507, options [nop,nop,TS val 1111856957 ecr 3883257557], length 1001
21:50:01.466175 tun0 In IP 3.133.215.55.5044 > 10.226.28.173.53286: Flags [R.], seq 1, ack 111, win 489, options [nop,nop,TS val 3883257575 ecr 1111856896], length 0
But, I can't find the remote test host within kibana. I suspect I need to enable security. I will need to do it eventually anyway. But, when I enable security as per.....
xpack.security.enabled: true
xpack.security.authc.api_key.enabled: true
systemctl status elasticsearch
× elasticsearch.service - Elasticsearch
Loaded: loaded (/lib/systemd/system/elasticsearch.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2022-12-08 22:27:24 UTC; 17min ago
Docs: https://www.elastic.co
Process: 8565 ExecStart=/usr/share/elasticsearch/bin/systemd-entrypoint -p ${PID_DIR}/elasticsearch.pid --quiet (code=exited, status=1/FAILURE)
Main PID: 8565 (code=exited, status=1/FAILURE)
CPU: 5.684s
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: ^
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: at org.yaml.snakeyaml.parser.ParserImpl$ParseBlockMappingKey.produce(ParserImpl.java:679)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: at org.yaml.snakeyaml.parser.ParserImpl.peekEvent(ParserImpl.java:185)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: at org.yaml.snakeyaml.parser.ParserImpl.getEvent(ParserImpl.java:195)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: at com.fasterxml.jackson.dataformat.yaml.YAMLParser.nextToken(YAMLParser.java:355)
Dec 08 22:27:24 ip-172-31-35-85 systemd-entrypoint[8565]: ... 14 more
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Main process exited, code=exited, status=1/FAILURE
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Failed with result 'exit-code'.
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: Failed to start Elasticsearch.
Dec 08 22:27:24 ip-172-31-35-85 systemd[1]: elasticsearch.service: Consumed 5.684s CPU time.
tail -f the logs shows nothing. nothing. like it crashes before it can write a log.
I did a "chown -R elasticsearch:elasticsearch /usr/share/elasticsearch" but made no difference
What else can I try?
ubuntu 2204 fallowing this tutorial