##########遇到的問題###############
@ logstash 到 elasticsearch HTTPs 連接配接報錯
[2019-11-14T01:01:47,315][WARN ][logstash.outputs.elasticsearch]
Attempted to resurrect connection to dead ES instance, but got an error.
{:url=>"https://logstash:[email protected]:9200/",
:error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError,
:error=>"Elasticsearch Unreachable: [https://logstash:[email protected]:9200
/][Manticore::ClientProtocolException] PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target"}
* 由于我用的是新的7.3.2版本,對其他版本的設定不适用。
logstash.conf 去設定ssl 》》》無法解決
output {
elasticsearch {
hosts => ["https://localhost:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
user => logstash
password => logstash
ssl => true
ssl_certificate_verification => true
truststore => "/etc/logstash/conf.d/truststore.jks"
truststore_password => logstash
}
}
bin/logstash -f logstash.conf
結果不會讀取elastiflow子產品配置,對應的服務端口也沒打開
Starting UDP listener {:address=>"0.0.0.0:4739"} IPFix
Starting UDP listener {:address=>"0.0.0.0:2055"} Netflow
Starting UDP listener {:address=>"0.0.0.0:6343"} SFlow
logstash.yml 設定》》》無法解決
modules:
- name: netflow
var.elasticsearch.hosts: ["https://127.0.0.1:9200"]
var.elasticsearch.username: logstash
var.elasticsearch.password: logstash
var.elasticsearch.ssl: true
var.elasticsearch.ssl_certificate_verification: false
var.elasticsearch.truststore: [“/etc/logstash/conf.d/truststore.jks”]
var.elasticsearch.truststore_password: logstash
bin/logstash "--path.settings" "/etc/logstash"
結果還是報錯 SSL 證書不可用
最後發現elastiflow子產品的設定裡面是有預設配置的,更改後就正常了!
output {
elasticsearch {
id => "output_elasticsearch_single"
hosts => [ "${ELASTIFLOW_ES_HOST:127.0.0.1:9200}" ]
ssl => "${ELASTIFLOW_ES_SSL_ENABLE:true}"
ssl_certificate_verification => "${ELASTIFLOW_ES_SSL_VERIFY:true}"
# If ssl_certificate_verification is true, uncomment cacert and set the path to the certificate.
#cacert => "/PATH/TO/CERT"
cacert => "/etc/logstash/conf.d/logstash.crt"
user => "${ELASTIFLOW_ES_USER:admin}"
password => "${ELASTIFLOW_ES_PASSWD:admin}"
index => "elastiflow-3.5.1-%{+YYYY.MM.dd}"
template => "${ELASTIFLOW_TEMPLATE_PATH:/etc/logstash/elastiflow/templates}/elastiflow.template.json"
template_name => "elastiflow-3.5.1"
template_overwrite => "true"
}
}
1.Logstash Systemdctl 的開機啟動項使用 /logstash/bin/system-install 這個自帶的shell腳本。這個腳本是把配置路徑放到了/etc/logstash
| logstash.yml | |
| pipelines.yml | |
| elastiflow/ | elastiflow 子產品配置檔案 |
logstash 啟動會讀取 logstash.yml 和 pipelines.yml
pipelines.yml有添加配置指向elastiflow子產品配置
- pipeline.id: elastiflow
path.config: "/etc/logstash/elastiflow/conf.d/*.conf"
/etc/logstash/elastiflow/conf.d/ 下為netflow資訊的 輸入/輸出/過濾(input/output/filter)的配置檔案,logstash會按這些規則去收集->過濾->發送 到 elasticsearch 的 web API (https://127.0.0.0:9200)
##################################