Search Guard
Purpose:
Version 3.9 and later supports the Search Guard Elasticsearch plugin (version 2.4.1.16 and newer) to encrypt and authenticate your connections to from AxoSyslog to Elasticsearch 2 and newer. To configure AxoSyslog to send messages to an Elasticsearch 2.x cluster that uses Search Guard, complete the following steps.
To connect to an Elasticsearch 5.x or newer cluster, use HTTPS mode.
Steps:
-
Install the Search Guard plugin on your AxoSyslog host. Use the plugin version that matches the version of your Elasticsearch installation.
sudo /usr/share/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/<version-number-of-the-plugin> -
Create a certificate for your AxoSyslog host, and add the certificate to the
SYSLOG_NG-NODE_NAME-keystore.jksfile. You can configure the location of this file in the Elasticsearch resources file under thepath.confparameter. For details, see the Search Guard documentation. -
Configure an Elasticsearch destination in AxoSyslog that uses the
searchguardclient mode. For example:destination d_elasticsearch { elasticsearch2( client-lib-dir("/usr/share/elasticsearch/plugins/search-guard-ssl/*.jar:/usr/share/elasticsearch/lib") index("syslog-${YEAR}.${MONTH}.${DAY}") type("syslog") time-zone("UTC") client-mode("searchguard") resource("/etc/syslog-ng/elasticsearch.yml") ); }; -
Configure the Elasticsearch resource file (for example,
/etc/syslog-ng/elasticsearch.yml) as needed for your environment. Note thesearchguard:section.cluster: name: elasticsearch discovery: zen: ping: unicast: hosts: - <ip-address-of-the-elasticsearch-server> node: name: syslog_ng_secure data; false master: false path: home: /etc/syslog-ng conf: /etc/syslog-ng searchguard: ssl: transport: keystore_filepath: syslog_ng-keystore.jks keystore_password: changeit truststore_filepath: truststore.jks truststore_password: changeit enforce_hostname_verification: true