Purpose:
Version
To connect to an Elasticsearch 5.x or newer cluster, use HTTPS mode.
Steps:
-
Install the Search Guard plugin on your syslog-ng OSE host. Use the plugin version that matches the version of your Elasticsearch installation.
sudo /usr/share/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/<version-number-of-the-plugin>
-
Create a certificate for your syslog-ng OSE host, and add the certificate to the SYSLOG_NG-NODE_NAME-keystore.jks file. You can configure the location of this file in the Elasticsearch resources file under the path.conf parameter. For details, see the Search Guard documentation.
-
Configure an Elasticsearch destination in syslog-ng OSE that uses the searchguard client mode. For example:
destination d_elasticsearch { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/plugins/search-guard-ssl/*.jar:/usr/share/elasticsearch/lib") index("syslog-${YEAR}.${MONTH}.${DAY}") type("syslog") time-zone("UTC") client-mode("searchguard") resource("/etc/syslog-ng/elasticsearch.yml") ); }; -
Configure the Elasticsearch resource file (for example, /etc/syslog-ng/elasticsearch.yml) as needed for your environment. Note the searchguard: section.
cluster: name: elasticsearch discovery: zen: ping: unicast: hosts: - <ip-address-of-the-elasticsearch-server> node: name: syslog_ng_secure data; false master: false path: home: /etc/syslog-ng conf: /etc/syslog-ng searchguard: ssl: transport: keystore_filepath: syslog_ng-keystore.jks keystore_password: changeit truststore_filepath: truststore.jks truststore_password: changeit enforce_hostname_verification: true