5
responses

Hi,

Regarding the Elasticsearch module:

Currently, I am using Nxlog Manager, NxLog agent and I want to send the log to elasticsearch. Where I should put the elastic username and password on NXLog config file?

Thanks

AskedJanuary 20, 2021 - 3:20am

Answer (1)

Hello,

Correct me if I am wrong - are you using om_elasticsearch in your setup? Have you already checked the om_elasticsearch documentation?

Thanks,
Rafal

Comments (4)

  • aurox3d's picture

    Hi Raf,

    Below is my nxlog.conf for om_elastic
    LogLevel INFO
    Logfile %LOGDIR%/nxlog.log

    <Extension agent_managment>
    Module xm_soapadmin
    Connect 10.1.1.127
    Port 4041
    SocketType SSL
    CAFile %CERTDIR%/agent-ca.pem
    CertFile %CERTDIR%/agent-cert.pem
    CertKeyFile %CERTDIR%/agent-key.pem
    AllowUntrusted FALSE
    RequireCert TRUE
    <ACL conf>
    Directory %CONFDIR%
    AllowRead TRUE
    AllowWrite TRUE
    </ACL>
    <ACL cert>
    Directory %CERTDIR%
    AllowRead TRUE
    AllowWrite TRUE
    </ACL>
    </Extension>

    <Processor buffer>
    Module pm_buffer
    WarnLimit 102400
    MaxSize 102400
    Type Disk
    </Processor>

    <Input Windows Event>
    Module im_mseventlog
    SavePos TRUE
    </Input>

    <Output ELK>
    Module om_elasticsearch
    URL http://10.1.1.134:9200
    Index strftime($EventTime, "test-%Y%m%d")
    AddHeader Authorization: "Basic ZWxfc3RpYzoqWURAUk21ZbmV9"
    </Output>
    <Route Windows_Event>
    Priority 1
    Path Windows Event => buffer => ELK
    </Route>

    Thanks

  • konstantinos's picture
    (NXLog)

    Hi there,

    Do you get an ERROR in your /opt/nxlog/var/log/nxlog/nxlog.log similar to:

    [om_elasticsearch|elasticsearch] HTTP response status is not OK: 401 Unauthorized

    Can you try formatting the header as shown below:

    AddHeader Authorization: Basic ZWxhc3RpYzokWSRAUk1ZbmV0==

    are you able to login when using simple curl from the host running your nxlog?

    curl -vv --user elastic https://10.1.1.134:9200

    Also please try formatting the URL in your config as follows

    URL http://10.1.1.134:9200/_bulk

    Thanks,

    Konstantinos