logstash Wazuh 4生产集群(码头)出现故障,在ElasticSearch中丢失了存储输出

wko9yo5t  于 2022-12-09  发布在  Logstash
关注(0)|答案(1)|浏览(166)

我有Wazuh 4的生产集群与开放发行版的ElasticSearch,kibana和ssl安全在docker,我试图连接logstash(logstash的docker图像)与ElasticSearch,我得到这个:

Attempted to resurrect connection to dead ES instance, but got an error

我已经为logstash生成了ssl证书,尝试了其他方法(通过filebeat模块更改logstash的输出)连接,但没有成功。Wazuh 4中这个问题的解决方案是什么?

3gtaxfhh

3gtaxfhh1#

Let me help you with this. Our current documentation is valid for distributed architectures where Logstash is installed on the same machine as Elasticsearch, so we should consider adding documentation for the proper configuration of separated Logstash instances.
Ok, now let’s see if we can fix your problem.
After installing Logstash, I assume that you configured it using the distributed configuration file, as seen on this step (Logstash.2.b). Keep in mind that you need to specify the Elasticsearch IP address at the bottom of the file:

output {
    elasticsearch {
        hosts => ["<PUT_HERE_ELASTICSEARCH_IP>:9200"]
        index => "wazuh-alerts-3.x-%{+YYYY.MM.dd}"
        document_type => "wazuh"
    }
}

After saving the file and restarting the Logstash service, you may be getting this kind of log message on /var/log/logstash/logstash-plain.log:

Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://192.168.56.104:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :error=>"Elasticsearch Unreachable: [http://192.168.56.104:9200/][Manticore::SocketException] Connection refused (Connection refused)"}

I discovered that we need to edit the Elasticsearch configuration file, and modify this setting: network.host. On my test environment, this setting appears commented like this:

#network.host: 192.168.0.1

And I changed it to this:

network.host: 0.0.0.0

(Notice that I removed the # at the beginning of the line). The 0.0.0.0 IP will make Elasticsearch listen on all network interfaces.
After that, I restarted the Elasticsearch service using systemctl restart elasticsearch, and then, I started to see the alerts being indexed on Elasticsearch. Please, try these steps, and let’s see if everything is properly working now.
Let me know if you need more help with this, I’ll be glad to assist you.
Regards,

相关问题