Version
To connect to an Elasticsearch 5.x or newer cluster, use HTTPS mode.
Install the Search Guard plugin on your syslog-ng OSE host. Use the plugin version that matches the version of your Elasticsearch installation.
sudo /usr/share/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/<version-number-of-the-plugin>
Create a certificate for your syslog-ng OSE host, and add the certificate to the SYSLOG_NG-NODE_NAME-keystore.jks file. You can configure the location of this file in the Elasticsearch resources file under the path.conf parameter. For details, see the Search Guard documentation.
Configure an Elasticsearch destination in syslog-ng OSE that uses the searchguard client mode. For example:
destination d_elasticsearch {
elasticsearch2(
client-lib-dir("/usr/share/elasticsearch/plugins/search-guard-ssl/*.jar:/usr/share/elasticsearch/lib")
index("syslog-${YEAR}.${MONTH}.${DAY}")
type("syslog")
time-zone("UTC")
client-mode("searchguard")
resource("/etc/syslog-ng/elasticsearch.yml")
);
};
Configure the Elasticsearch resource file (for example, /etc/syslog-ng/elasticsearch.yml) as needed for your environment. Note the searchguard: section.
cluster:
name: elasticsearch
discovery:
zen:
ping:
unicast:
hosts:
- <ip-address-of-the-elasticsearch-server>
node:
name: syslog_ng_secure
data; false
master: false
path:
home: /etc/syslog-ng
conf: /etc/syslog-ng
searchguard:
ssl:
transport:
keystore_filepath: syslog_ng-keystore.jks
keystore_password: changeit
truststore_filepath: truststore.jks
truststore_password: changeit
enforce_hostname_verification: true© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center