Hi, I am using a ELK stack in docker for pfSense, from here GitHub - pfelk/docker: Deploy pfelk with docker-compose
All went fine, I even implement https with my own domain certificate. Navigating on the KIBANA dashboard I see that I had some red cross on configuration about FLEET, so I follow the instruction but I cannotfigure out what is wrong, is something about the certificates but don't know what. This is the log from the logstash container.
[WARN ] 2021-06-01 14:00:12.033 [Ruby-0-Thread-11: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-elasticsearch-10.8.6-java/lib/logstash/outputs/elasticsearch/http_client/pool.rb:241] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"https://logstash_internal:xxxxxx@es01:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [https://logstash_internal:xxxxxx@es01:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
This is the docker-compose
version: '2.2'
services:
es01:
build:
context: elasticsearch/
args:
ELK_VERSION: $ELK_VERSION
restart: unless-stopped
container_name: es01
environment:
- node.name=es01
- cluster.name=es-docker-cluster
- cluster.initial_master_nodes=es01
- bootstrap.memory_lock=true
- "ES_JAVA_OPTS=-Xms512m -Xmx512m"
- network.host=0.0.0.0
- xpack.security.enabled=true
- xpack.security.transport.ssl.enabled=true
- xpack.security.transport.ssl.keystore.type=PKCS12
- xpack.security.transport.ssl.verification_mode=certificate
- xpack.security.transport.ssl.keystore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.path=elastic-certificates.p12
- xpack.security.transport.ssl.truststore.type=PKCS12
- xpack.security.authc.api_key.enabled=true
- xpack.security.http.ssl.enabled=true
- xpack.security.http.ssl.key=ssl/private_2020.key
- xpack.security.http.ssl.certificate=ssl/public_2020.crt
- xpack.security.http.ssl.certificate_authorities=ssl/intermediate_2020.crt
- xpack.http.ssl.certificate_authorities=ssl/root.crt
ulimits:
memlock:
soft: -1
hard: -1
volumes:
- ./elastic-certificates.p12:/usr/share/elasticsearch/config/elastic-certificates.p12
- ./ssl:/usr/share/elasticsearch/config/ssl/
- data01:/usr/share/elasticsearch/data
ports:
- 9200:9200
networks:
- elastic
logstash:
container_name: logstash
build:
context: logstash/
args:
ELK_VERSION: $ELK_VERSION
environment:
LS_JAVA_OPTS: -Xmx1G -Xms1G
restart: unless-stopped
volumes:
- ./etc/logstash/config/:/usr/share/logstash/config:ro
- ./etc/pfelk/conf.d/:/etc/pfelk/conf.d:ro
- ./etc/pfelk/patterns/:/etc/pfelk/patterns:ro
- ./etc/pfelk/databases/:/etc/pfelk/databases:ro
ports:
- 5040:5040
- 5044:5044
- 5140:5140/udp
- 5141:5141/udp
- 5190:5190
- 9600:9600
networks:
- elastic
depends_on:
- es01
kibana:
container_name: kibana
build:
context: kibana/
args:
ELK_VERSION: $ELK_VERSION
environment:
ELASTICSEARCH_HOSTS: https://es01:9200
SERVER_NAME: kibana
SERVER_HOST: 0.0.0.0
ELASTICSEARCH_USERNAME: kibana
ELASTICSEARCH_PASSWORD: mypassword
ELASTICSEARCH_SSL_CERTIFICATEAUTHORITIES: /etc/ssl/intermediate_2020.crt
SERVER_SSL_ENABLED: "true"
SERVER_SSL_KEY: /etc/ssl/private_2020.key
SERVER_SSL_CERTIFICATE: /etc/ssl/public_2020.crt
XPACK_FLEET_ENABLED: "true"
XPACK_SECURITY_ENABLED: "true"
XPACK_ENCRYPTEDSAVEDOBJECTS_ENCRYPTIONKEY: mykey
volumes:
- ./ssl:/etc/ssl
restart: unless-stopped
ports:
- 5601:5601
networks:
- elastic
depends_on:
- logstash
volumes:
data01:
driver: local
networks:
elastic:
driver: bridge
this is logstash.yaml
xpack.monitoring.elasticsearch.hosts: [ "https://es01:9200" ]
xpack.monitoring.enabled: false
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: mypassword
and this is a part of output filter logstash
output {
################################################################################
### firewall ###
################################################################################
if "firewall" in [tags] {
elasticsearch {
hosts => ["https://es01:9200"]
index => "pfelk-firewall-%{+YYYY.MM}"
ssl => true
ssl_certificate_verification => false
cacert => "/usr/share/logstash/config/ssl/root.crt"
ilm_enabled => true
#ILM# ilm_rollover_alias => "pfelk-firewall"
#ILM# ilm_pattern => "000001"
#ILM# ilm_policy => "pfelk-ilm"
#ILM# ecs_compatibility => "v1"
manage_template => false
user => logstash_internal
password => mypass
}
}
I am using the last version of the stack
thanks