7.3.5. Procedure – Search Guard and syslog-ng OSE

Purpose: 

Version 3.9 and later supports the Search Guard Elasticsearch plugin (version 2.4.1.16 and newer) to encrypt and authenticate your connections to from syslog-ng OSE to Elasticsearch 2 and newer. To configure syslog-ng OSE to send messages to an Elasticsearch cluster that uses Search Guard, complete the following steps.

Steps: 

  1. Install the Search Guard plugin on your syslog-ng OSE host. Use the plugin version that matches the version of your Elasticsearch installation.

    sudo /usr/share/elasticsearch/bin/plugin install -b com.floragunn/search-guard-ssl/<version-number-of-the-plugin>
  2. Create a certificate for your syslog-ng OSE host, and add the certificate to the SYSLOG_NG-NODE_NAME-keystore.jks file. You can configure the location of this file in the Elasticsearch resources file under the path.conf parameter. For details, see the Search Guard documentation.

  3. Configure an Elasticsearch destination in syslog-ng OSE that uses the searchguard client mode. For example:

    destination d_elasticsearch {
      elasticsearch2(
        client-lib-dir("/usr/share/elasticsearch/plugins/search-guard-ssl/*.jar:/usr/share/elasticsearch/lib")
        index("syslog-${YEAR}.${MONTH}.${DAY}")
        type("syslog")
        time-zone("UTC")
        client_mode("searchguard")
        resource("/etc/syslog-ng/elasticsearch.yml")
      );
    };
  4. Configure the Elasticsearch resource file (for example, /etc/syslog-ng/elasticsearch.yml) as needed for your environment. Note the searchguard: section.

    cluster:
      name: elasticsearch
    discovery:
      zen:
        ping:
          unicast:
            hosts:
              - <ip-address-of-the-elasticsearch-server>
    node:
      name: syslog_ng_secure
      data; false
      master: false
    path:
      home: /etc/syslog-ng
      conf: /etc/syslog-ng
    searchguard:
      ssl:
        transport:
          keystore_filepath: syslog_ng-keystore.jks
          keystore_password: changeit
          truststore_filepath: truststore.jks
          truststore_password: changeit
          enforce_hostname_verification: true