7.3.4. Procedure – Elasticsearch X-Pack (Shield) and syslog-ng OSE

Purpose: 

Version 3.8 and later supports Elasticsearch X-Pack security (Shield) to encrypt and authenticate your connections to from syslog-ng OSE to Elasticsearch 2 and newer. In this mode, syslog-ng OSE uses the transport client API of Elasticsearch, and uses the server(), port(), and cluster() options from the syslog-ng OSE configuration file, but with Shield (X-Pack security) support. To configure syslog-ng OSE to send messages to an Elasticsearch cluster that uses Shield, complete the following steps.

Steps: 

  1. Add the Shield .jar file (shield-x.x.x.jar) to the same directory where your Elasticsearch .jar files are located. You can download the Shield distribution and extract the .jar file manually, or you can get it from the Elasticsearch Maven repository.

  2. Shield mode inherits the Transport mode options, but the Shield-related options must be configured in the .yml file (see the Section resource()). For example:

    shield.user: es_admin:********
    shield.transport.ssl: true
    shield.ssl.keystore.path: /usr/share/elasticsearch/node.jks
    shield.ssl.keystore.password: mypassword

    For more details about the possible options, see: https://www.elastic.co/guide/en/shield/current/reference.html#ref-ssl-tls-settings.

  3. Configure an Elasticsearch destination in syslog-ng OSE that uses the shield client mode.