logstash-output-elasticsearch 11.12.4-java → 11.15.9-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +58 -0
- data/docs/index.asciidoc +214 -66
- data/lib/logstash/outputs/elasticsearch/http_client/pool.rb +14 -4
- data/lib/logstash/outputs/elasticsearch/http_client_builder.rb +46 -19
- data/lib/logstash/outputs/elasticsearch/template_manager.rb +26 -3
- data/lib/logstash/outputs/elasticsearch.rb +89 -39
- data/lib/logstash/plugin_mixins/elasticsearch/api_configs.rb +60 -8
- data/lib/logstash/plugin_mixins/elasticsearch/common.rb +42 -18
- data/logstash-output-elasticsearch.gemspec +3 -2
- data/spec/es_spec_helper.rb +12 -7
- data/spec/fixtures/test_certs/ca.crt +13 -13
- data/spec/fixtures/test_certs/ca.der.sha256 +1 -1
- data/spec/fixtures/test_certs/test.crt +14 -14
- data/spec/fixtures/test_certs/test.der.sha256 +1 -1
- data/spec/fixtures/test_certs/test.p12 +0 -0
- data/spec/integration/outputs/index_spec.rb +16 -16
- data/spec/integration/outputs/templates_spec.rb +11 -9
- data/spec/unit/outputs/elasticsearch/data_stream_support_spec.rb +4 -2
- data/spec/unit/outputs/elasticsearch/http_client/pool_spec.rb +9 -2
- data/spec/unit/outputs/elasticsearch/template_manager_spec.rb +72 -20
- data/spec/unit/outputs/elasticsearch_spec.rb +358 -28
- data/spec/unit/outputs/elasticsearch_ssl_spec.rb +166 -50
- metadata +18 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: c9e537b9f31644ce80834b295b99d22566863f666ab319efc34f641c15018d74
|
4
|
+
data.tar.gz: a99f63dd55f4b0a12e597e812db124dd9a7fe82ce1a5e7af4057992f903eac65
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 12fa3b203130210b5d274364ff97e31bfb01aaedd23ac22fc53fea1626cad628d3f33e952dcf12555fc4860d7577235684e255550dfc7668d9dc93d7e6bf55ff
|
7
|
+
data.tar.gz: 50ca989af2afc85f439995c6dde9c7eeda56924c9d9729ef91426b34dc99146fadecf3e290dc7e122113bb2cbf50bdc1eeac22f8448d2d4373b0d251660fb6a7
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,61 @@
|
|
1
|
+
## 11.15.9
|
2
|
+
- allow dlq_ settings when using data streams [#1144](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1144)
|
3
|
+
|
4
|
+
## 11.15.8
|
5
|
+
- Fixes a regression introduced in 11.14.0 which could prevent Logstash 8.8 from establishing a connection to Elasticsearch for Central Management and Monitoring core features [#1141](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/1141)
|
6
|
+
|
7
|
+
## 11.15.7
|
8
|
+
- Fixes a regression introduced in 11.14.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#1138](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/1138)
|
9
|
+
|
10
|
+
## 11.15.6
|
11
|
+
- Fix: avoid to reject a batch when the Elasticsearch connection is alive and the processing should continue [#1132](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1132).
|
12
|
+
|
13
|
+
## 11.15.5
|
14
|
+
- Fixes `undefined 'shutdown_requested' method` error when plugin checks if shutdown request is received [#1134](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1134)
|
15
|
+
|
16
|
+
## 11.15.4
|
17
|
+
- Improved connection handling under several partial-failure scenarios [#1130](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1130)
|
18
|
+
- Ensures an HTTP connection can be established before adding the connection to the pool
|
19
|
+
- Ensures that the version of the connected Elasticsearch is retrieved _successfully_ before the connection is added to the pool.
|
20
|
+
- Fixes a crash that could occur when the plugin is configured to connect to a live HTTP resource that is _not_ Elasticsearch
|
21
|
+
|
22
|
+
## 11.15.3
|
23
|
+
- Removes the ECS v8 unreleased preview warning [#1131](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1131)
|
24
|
+
|
25
|
+
## 11.15.2
|
26
|
+
- Restores DLQ logging behavior from 11.8.x to include the action-tuple as structured [#1105](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1105)
|
27
|
+
|
28
|
+
## 11.15.1
|
29
|
+
- Move async finish_register to bottom of register to avoid race condition [#1125](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1125)
|
30
|
+
|
31
|
+
## 11.15.0
|
32
|
+
- Added the ability to negatively acknowledge the batch under processing if the plugin is blocked in a retry-error-loop and a shutdown is requested. [#1119](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1119)
|
33
|
+
|
34
|
+
## 11.14.1
|
35
|
+
- [DOC] Fixed incorrect pull request link on the CHANGELOG `11.14.0` entry [#1122](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1122)
|
36
|
+
|
37
|
+
## 11.14.0
|
38
|
+
- Added SSL settings for: [#1118](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1118)
|
39
|
+
- `ssl_truststore_type`: The format of the truststore file
|
40
|
+
- `ssl_keystore_type`: The format of the keystore file
|
41
|
+
- `ssl_certificate`: OpenSSL-style X.509 certificate file to authenticate the client
|
42
|
+
- `ssl_key`: OpenSSL-style RSA private key that corresponds to the `ssl_certificate`
|
43
|
+
- `ssl_cipher_suites`: The list of cipher suites
|
44
|
+
- Reviewed and deprecated SSL settings to comply with Logstash's naming convention
|
45
|
+
- Deprecated `ssl` in favor of `ssl_enabled`
|
46
|
+
- Deprecated `cacert` in favor of `ssl_certificate_authorities`
|
47
|
+
- Deprecated `keystore` in favor of `ssl_keystore_path`
|
48
|
+
- Deprecated `keystore_password` in favor of `ssl_keystore_password`
|
49
|
+
- Deprecated `truststore` in favor of `ssl_truststore_path`
|
50
|
+
- Deprecated `truststore_password` in favor of `ssl_truststore_password`
|
51
|
+
- Deprecated `ssl_certificate_verification` in favor of `ssl_verification_mode`
|
52
|
+
|
53
|
+
## 11.13.1
|
54
|
+
- Avoid crash by ensuring ILM settings are injected in the correct location depending on the default (or custom) template format, template_api setting and ES version [#1102](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1102)
|
55
|
+
|
56
|
+
## 11.13.0
|
57
|
+
- add technology preview support for allowing events to individually encode a default pipeline with `[@metadata][target_ingest_pipeline]` (as part of a technology preview, this feature may change without notice) [#1113](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1113)
|
58
|
+
|
1
59
|
## 11.12.4
|
2
60
|
- Changed the `manage_template` default value to `false` when data streams is enabled [#1111](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1111)
|
3
61
|
- Added the `manage_template => false` as a valid data stream option
|
data/docs/index.asciidoc
CHANGED
@@ -299,7 +299,7 @@ checks.
|
|
299
299
|
==== Elasticsearch Output Configuration Options
|
300
300
|
|
301
301
|
This plugin supports the following configuration options plus the
|
302
|
-
<<plugins-{type}s-{plugin}-common-options>> described later.
|
302
|
+
<<plugins-{type}s-{plugin}-common-options>> and the <<plugins-{type}s-{plugin}-deprecated-options>> described later.
|
303
303
|
|
304
304
|
[cols="<,<,<",options="header",]
|
305
305
|
|=======================================================================
|
@@ -307,7 +307,6 @@ This plugin supports the following configuration options plus the
|
|
307
307
|
| <<plugins-{type}s-{plugin}-action>> |<<string,string>>|No
|
308
308
|
| <<plugins-{type}s-{plugin}-api_key>> |<<password,password>>|No
|
309
309
|
| <<plugins-{type}s-{plugin}-bulk_path>> |<<string,string>>|No
|
310
|
-
| <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|No
|
311
310
|
| <<plugins-{type}s-{plugin}-ca_trusted_fingerprint>> |<<string,string>>|No
|
312
311
|
| <<plugins-{type}s-{plugin}-cloud_auth>> |<<password,password>>|No
|
313
312
|
| <<plugins-{type}s-{plugin}-cloud_id>> |<<string,string>>|No
|
@@ -333,8 +332,6 @@ This plugin supports the following configuration options plus the
|
|
333
332
|
| <<plugins-{type}s-{plugin}-ilm_policy>> |<<string,string>>|No
|
334
333
|
| <<plugins-{type}s-{plugin}-ilm_rollover_alias>> |<<string,string>>|No
|
335
334
|
| <<plugins-{type}s-{plugin}-index>> |<<string,string>>|No
|
336
|
-
| <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|No
|
337
|
-
| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|No
|
338
335
|
| <<plugins-{type}s-{plugin}-silence_errors_in_log>> |<<array,array>>|No
|
339
336
|
| <<plugins-{type}s-{plugin}-manage_template>> |<<boolean,boolean>>|No
|
340
337
|
| <<plugins-{type}s-{plugin}-parameters>> |<<hash,hash>>|No
|
@@ -358,16 +355,24 @@ This plugin supports the following configuration options plus the
|
|
358
355
|
| <<plugins-{type}s-{plugin}-sniffing>> |<<boolean,boolean>>|No
|
359
356
|
| <<plugins-{type}s-{plugin}-sniffing_delay>> |<<number,number>>|No
|
360
357
|
| <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No
|
361
|
-
| <<plugins-{type}s-{plugin}-
|
362
|
-
| <<plugins-{type}s-{plugin}-
|
358
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate>> |<<path,path>>|No
|
359
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
|
360
|
+
| <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |list of <<string,string>>|No
|
361
|
+
| <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
|
362
|
+
| <<plugins-{type}s-{plugin}-ssl_key>> |<<path,path>>|No
|
363
|
+
| <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
|
364
|
+
| <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
|
365
|
+
| <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
|
363
366
|
| <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
|
367
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
|
368
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
|
369
|
+
| <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
|
370
|
+
| <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
|
364
371
|
| <<plugins-{type}s-{plugin}-template>> |a valid filesystem path|No
|
365
372
|
| <<plugins-{type}s-{plugin}-template_api>> |<<string,string>>, one of `["auto", "legacy", "composable"]`|No
|
366
373
|
| <<plugins-{type}s-{plugin}-template_name>> |<<string,string>>|No
|
367
374
|
| <<plugins-{type}s-{plugin}-template_overwrite>> |<<boolean,boolean>>|No
|
368
375
|
| <<plugins-{type}s-{plugin}-timeout>> |<<number,number>>|No
|
369
|
-
| <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
|
370
|
-
| <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
|
371
376
|
| <<plugins-{type}s-{plugin}-upsert>> |<<string,string>>|No
|
372
377
|
| <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
|
373
378
|
| <<plugins-{type}s-{plugin}-validate_after_inactivity>> |<<number,number>>|No
|
@@ -408,7 +413,7 @@ For more details on actions, check out the {ref}/docs-bulk.html[Elasticsearch bu
|
|
408
413
|
* There is no default value for this setting.
|
409
414
|
|
410
415
|
Authenticate using Elasticsearch API key.
|
411
|
-
Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`
|
416
|
+
Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`ssl_enabled => true`>>.
|
412
417
|
|
413
418
|
Format is `id:api_key` where `id` and `api_key` are as returned by the
|
414
419
|
Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
|
@@ -422,14 +427,6 @@ Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
|
|
422
427
|
HTTP Path to perform the _bulk requests to
|
423
428
|
this defaults to a concatenation of the path parameter and "_bulk"
|
424
429
|
|
425
|
-
[id="plugins-{type}s-{plugin}-cacert"]
|
426
|
-
===== `cacert`
|
427
|
-
|
428
|
-
* Value type is <<path,path>>
|
429
|
-
* There is no default value for this setting.
|
430
|
-
|
431
|
-
The .cer or .pem file to validate the server's certificate.
|
432
|
-
|
433
430
|
[id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
|
434
431
|
===== `ca_trusted_fingerprint`
|
435
432
|
|
@@ -769,23 +766,6 @@ Logstash uses
|
|
769
766
|
http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[Joda
|
770
767
|
formats] and the `@timestamp` field of each event is being used as source for the date.
|
771
768
|
|
772
|
-
[id="plugins-{type}s-{plugin}-keystore"]
|
773
|
-
===== `keystore`
|
774
|
-
|
775
|
-
* Value type is <<path,path>>
|
776
|
-
* There is no default value for this setting.
|
777
|
-
|
778
|
-
The keystore used to present a certificate to the server.
|
779
|
-
It can be either .jks or .p12
|
780
|
-
|
781
|
-
[id="plugins-{type}s-{plugin}-keystore_password"]
|
782
|
-
===== `keystore_password`
|
783
|
-
|
784
|
-
* Value type is <<password,password>>
|
785
|
-
* There is no default value for this setting.
|
786
|
-
|
787
|
-
Set the keystore password
|
788
|
-
|
789
769
|
[id="plugins-{type}s-{plugin}-manage_template"]
|
790
770
|
===== `manage_template`
|
791
771
|
|
@@ -849,12 +829,11 @@ not also set this field. That will raise an error at startup
|
|
849
829
|
===== `pipeline`
|
850
830
|
|
851
831
|
* Value type is <<string,string>>
|
852
|
-
*
|
832
|
+
* There is no default value.
|
853
833
|
|
854
834
|
Set which ingest pipeline you wish to execute for an event. You can also use
|
855
|
-
event dependent configuration here like `pipeline =>
|
856
|
-
|
857
|
-
resolves to empty string ("").
|
835
|
+
event dependent configuration here like `pipeline => "%{[@metadata][pipeline]}"`.
|
836
|
+
The pipeline parameter won't be set if the value resolves to empty string ("").
|
858
837
|
|
859
838
|
[id="plugins-{type}s-{plugin}-pool_max"]
|
860
839
|
===== `pool_max`
|
@@ -1035,8 +1014,35 @@ the default value is computed by concatenating the path value and "_nodes/http"
|
|
1035
1014
|
if sniffing_path is set it will be used as an absolute path
|
1036
1015
|
do not use full URL here, only paths, e.g. "/sniff/_nodes/http"
|
1037
1016
|
|
1038
|
-
[id="plugins-{type}s-{plugin}-
|
1039
|
-
===== `
|
1017
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate"]
|
1018
|
+
===== `ssl_certificate`
|
1019
|
+
* Value type is <<path,path>>
|
1020
|
+
* There is no default value for this setting.
|
1021
|
+
|
1022
|
+
SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
|
1023
|
+
|
1024
|
+
NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_key>> is set.
|
1025
|
+
|
1026
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
|
1027
|
+
===== `ssl_certificate_authorities`
|
1028
|
+
|
1029
|
+
* Value type is a list of <<path,path>>
|
1030
|
+
* There is no default value for this setting
|
1031
|
+
|
1032
|
+
The .cer or .pem files to validate the server's certificate.
|
1033
|
+
|
1034
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_truststore_path>> at the same time.
|
1035
|
+
|
1036
|
+
[id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
|
1037
|
+
===== `ssl_cipher_suites`
|
1038
|
+
* Value type is a list of <<string,string>>
|
1039
|
+
* There is no default value for this setting
|
1040
|
+
|
1041
|
+
The list of cipher suites to use, listed by priorities.
|
1042
|
+
Supported cipher suites vary depending on the Java and protocol versions.
|
1043
|
+
|
1044
|
+
[id="plugins-{type}s-{plugin}-ssl_enabled"]
|
1045
|
+
===== `ssl_enabled`
|
1040
1046
|
|
1041
1047
|
* Value type is <<boolean,boolean>>
|
1042
1048
|
* There is no default value for this setting.
|
@@ -1045,15 +1051,41 @@ Enable SSL/TLS secured communication to Elasticsearch cluster.
|
|
1045
1051
|
Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
|
1046
1052
|
If no explicit protocol is specified plain HTTP will be used.
|
1047
1053
|
|
1048
|
-
[id="plugins-{type}s-{plugin}-
|
1049
|
-
===== `
|
1054
|
+
[id="plugins-{type}s-{plugin}-ssl_key"]
|
1055
|
+
===== `ssl_key`
|
1056
|
+
* Value type is <<path,path>>
|
1057
|
+
* There is no default value for this setting.
|
1050
1058
|
|
1051
|
-
|
1052
|
-
* Default value is `true`
|
1059
|
+
OpenSSL-style RSA private key that corresponds to the <<plugins-{type}s-{plugin}-ssl_certificate>>.
|
1053
1060
|
|
1054
|
-
|
1055
|
-
|
1056
|
-
|
1061
|
+
NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate>> is set.
|
1062
|
+
|
1063
|
+
[id="plugins-{type}s-{plugin}-ssl_keystore_password"]
|
1064
|
+
===== `ssl_keystore_password`
|
1065
|
+
|
1066
|
+
* Value type is <<password,password>>
|
1067
|
+
* There is no default value for this setting.
|
1068
|
+
|
1069
|
+
Set the keystore password
|
1070
|
+
|
1071
|
+
[id="plugins-{type}s-{plugin}-ssl_keystore_path"]
|
1072
|
+
===== `ssl_keystore_path`
|
1073
|
+
|
1074
|
+
* Value type is <<path,path>>
|
1075
|
+
* There is no default value for this setting.
|
1076
|
+
|
1077
|
+
The keystore used to present a certificate to the server.
|
1078
|
+
It can be either `.jks` or `.p12`
|
1079
|
+
|
1080
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
|
1081
|
+
|
1082
|
+
[id="plugins-{type}s-{plugin}-ssl_keystore_type"]
|
1083
|
+
===== `ssl_keystore_type`
|
1084
|
+
|
1085
|
+
* Value can be any of: `jks`, `pkcs12`
|
1086
|
+
* If not provided, the value will be inferred from the keystore filename.
|
1087
|
+
|
1088
|
+
The format of the keystore file. It must be either `jks` or `pkcs12`.
|
1057
1089
|
|
1058
1090
|
[id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
|
1059
1091
|
===== `ssl_supported_protocols`
|
@@ -1065,13 +1097,56 @@ https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
|
|
1065
1097
|
|
1066
1098
|
List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
|
1067
1099
|
|
1068
|
-
For Java 8 `'TLSv1.3'` is supported
|
1100
|
+
For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
|
1069
1101
|
`LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
|
1070
1102
|
|
1071
1103
|
NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
|
1072
1104
|
the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
|
1073
1105
|
the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
|
1074
1106
|
|
1107
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_password"]
|
1108
|
+
===== `ssl_truststore_password`
|
1109
|
+
|
1110
|
+
* Value type is <<password,password>>
|
1111
|
+
* There is no default value for this setting.
|
1112
|
+
|
1113
|
+
Set the truststore password
|
1114
|
+
|
1115
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_path"]
|
1116
|
+
===== `ssl_truststore_path`
|
1117
|
+
|
1118
|
+
* Value type is <<path,path>>
|
1119
|
+
* There is no default value for this setting.
|
1120
|
+
|
1121
|
+
The truststore to validate the server's certificate.
|
1122
|
+
It can be either `.jks` or `.p12`.
|
1123
|
+
|
1124
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> at the same time.
|
1125
|
+
|
1126
|
+
[id="plugins-{type}s-{plugin}-ssl_truststore_type"]
|
1127
|
+
===== `ssl_truststore_type`
|
1128
|
+
|
1129
|
+
* Value can be any of: `jks`, `pkcs12`
|
1130
|
+
* If not provided, the value will be inferred from the truststore filename.
|
1131
|
+
|
1132
|
+
The format of the truststore file. It must be either `jks` or `pkcs12`.
|
1133
|
+
|
1134
|
+
[id="plugins-{type}s-{plugin}-ssl_verification_mode"]
|
1135
|
+
===== `ssl_verification_mode`
|
1136
|
+
|
1137
|
+
* Value can be any of: `full`, `none`
|
1138
|
+
* Default value is `full`
|
1139
|
+
|
1140
|
+
Defines how to verify the certificates presented by another party in the TLS connection:
|
1141
|
+
|
1142
|
+
`full` validates that the server certificate has an issue date that’s within
|
1143
|
+
the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
|
1144
|
+
has a hostname or IP address that matches the names within the certificate.
|
1145
|
+
|
1146
|
+
`none` performs no certificate validation.
|
1147
|
+
|
1148
|
+
WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
|
1149
|
+
|
1075
1150
|
[id="plugins-{type}s-{plugin}-template"]
|
1076
1151
|
===== `template`
|
1077
1152
|
|
@@ -1140,24 +1215,6 @@ the "logstash" template (i.e. removing all customized settings)
|
|
1140
1215
|
Set the timeout, in seconds, for network operations and requests sent Elasticsearch. If
|
1141
1216
|
a timeout occurs, the request will be retried.
|
1142
1217
|
|
1143
|
-
[id="plugins-{type}s-{plugin}-truststore"]
|
1144
|
-
===== `truststore`
|
1145
|
-
|
1146
|
-
* Value type is <<path,path>>
|
1147
|
-
* There is no default value for this setting.
|
1148
|
-
|
1149
|
-
The truststore to validate the server's certificate.
|
1150
|
-
It can be either .jks or .p12.
|
1151
|
-
Use either `:truststore` or `:cacert`.
|
1152
|
-
|
1153
|
-
[id="plugins-{type}s-{plugin}-truststore_password"]
|
1154
|
-
===== `truststore_password`
|
1155
|
-
|
1156
|
-
* Value type is <<password,password>>
|
1157
|
-
* There is no default value for this setting.
|
1158
|
-
|
1159
|
-
Set the truststore password
|
1160
|
-
|
1161
1218
|
[id="plugins-{type}s-{plugin}-upsert"]
|
1162
1219
|
===== `upsert`
|
1163
1220
|
|
@@ -1214,6 +1271,97 @@ https://www.elastic.co/blog/elasticsearch-versioning-support[versioning support
|
|
1214
1271
|
blog] and {ref}/docs-index_.html#_version_types[Version types] in the
|
1215
1272
|
Elasticsearch documentation.
|
1216
1273
|
|
1274
|
+
[id="plugins-{type}s-{plugin}-deprecated-options"]
|
1275
|
+
==== Elasticsearch Output Deprecated Configuration Options
|
1276
|
+
|
1277
|
+
This plugin supports the following deprecated configurations.
|
1278
|
+
|
1279
|
+
WARNING: Deprecated options are subject to removal in future releases.
|
1280
|
+
|
1281
|
+
[cols="<,<,<",options="header",]
|
1282
|
+
|=======================================================================
|
1283
|
+
|Setting|Input type|Replaced by
|
1284
|
+
| <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
|
1285
|
+
| <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_keystore_path>>
|
1286
|
+
| <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_keystore_password>>
|
1287
|
+
| <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_enabled>>
|
1288
|
+
| <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_verification_mode>>
|
1289
|
+
| <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_truststore_path>>
|
1290
|
+
| <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_truststore_password>>
|
1291
|
+
|=======================================================================
|
1292
|
+
|
1293
|
+
|
1294
|
+
[id="plugins-{type}s-{plugin}-cacert"]
|
1295
|
+
===== `cacert`
|
1296
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>]
|
1297
|
+
|
1298
|
+
* Value type is a list of <<path,path>>
|
1299
|
+
* There is no default value for this setting.
|
1300
|
+
|
1301
|
+
The .cer or .pem file to validate the server's certificate.
|
1302
|
+
|
1303
|
+
[id="plugins-{type}s-{plugin}-keystore"]
|
1304
|
+
===== `keystore`
|
1305
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_path>>]
|
1306
|
+
|
1307
|
+
* Value type is <<path,path>>
|
1308
|
+
* There is no default value for this setting.
|
1309
|
+
|
1310
|
+
The keystore used to present a certificate to the server.
|
1311
|
+
It can be either .jks or .p12
|
1312
|
+
|
1313
|
+
NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
|
1314
|
+
|
1315
|
+
[id="plugins-{type}s-{plugin}-keystore_password"]
|
1316
|
+
===== `keystore_password`
|
1317
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_password>>]
|
1318
|
+
|
1319
|
+
* Value type is <<password,password>>
|
1320
|
+
* There is no default value for this setting.
|
1321
|
+
|
1322
|
+
Set the keystore password
|
1323
|
+
|
1324
|
+
[id="plugins-{type}s-{plugin}-ssl"]
|
1325
|
+
===== `ssl`
|
1326
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
|
1327
|
+
|
1328
|
+
* Value type is <<boolean,boolean>>
|
1329
|
+
* There is no default value for this setting.
|
1330
|
+
|
1331
|
+
Enable SSL/TLS secured communication to Elasticsearch cluster.
|
1332
|
+
Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
|
1333
|
+
If no explicit protocol is specified plain HTTP will be used.
|
1334
|
+
|
1335
|
+
[id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
|
1336
|
+
===== `ssl_certificate_verification`
|
1337
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
|
1338
|
+
|
1339
|
+
* Value type is <<boolean,boolean>>
|
1340
|
+
* Default value is `true`
|
1341
|
+
|
1342
|
+
Option to validate the server's certificate. Disabling this severely compromises security.
|
1343
|
+
For more information on disabling certificate verification please read
|
1344
|
+
https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
|
1345
|
+
|
1346
|
+
[id="plugins-{type}s-{plugin}-truststore"]
|
1347
|
+
===== `truststore`
|
1348
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_path>>]
|
1349
|
+
|
1350
|
+
* Value type is <<path,path>>
|
1351
|
+
* There is no default value for this setting.
|
1352
|
+
|
1353
|
+
The truststore to validate the server's certificate.
|
1354
|
+
It can be either `.jks` or `.p12`.
|
1355
|
+
Use either `:truststore` or `:cacert`.
|
1356
|
+
|
1357
|
+
[id="plugins-{type}s-{plugin}-truststore_password"]
|
1358
|
+
===== `truststore_password`
|
1359
|
+
deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_password>>]
|
1360
|
+
|
1361
|
+
* Value type is <<password,password>>
|
1362
|
+
* There is no default value for this setting.
|
1363
|
+
|
1364
|
+
Set the truststore password
|
1217
1365
|
|
1218
1366
|
[id="plugins-{type}s-{plugin}-common-options"]
|
1219
1367
|
include::{include_path}/{type}.asciidoc[]
|
@@ -229,14 +229,16 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
|
|
229
229
|
end
|
230
230
|
|
231
231
|
def health_check_request(url)
|
232
|
-
|
233
|
-
|
232
|
+
response = perform_request_to_url(url, :head, @healthcheck_path)
|
233
|
+
raise BadResponseCodeError.new(response.code, url, nil, response.body) unless (200..299).cover?(response.code)
|
234
234
|
end
|
235
235
|
|
236
236
|
def healthcheck!(register_phase = true)
|
237
237
|
# Try to keep locking granularity low such that we don't affect IO...
|
238
238
|
@state_mutex.synchronize { @url_info.select {|url,meta| meta[:state] != :alive } }.each do |url,meta|
|
239
239
|
begin
|
240
|
+
logger.debug("Running health check to see if an Elasticsearch connection is working",
|
241
|
+
:healthcheck_url => url.sanitized.to_s, :path => @healthcheck_path)
|
240
242
|
health_check_request(url)
|
241
243
|
|
242
244
|
# when called from resurrectionist skip the product check done during register phase
|
@@ -249,6 +251,10 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
|
|
249
251
|
logger.warn("Restored connection to ES instance", url: url.sanitized.to_s)
|
250
252
|
# We reconnected to this node, check its ES version
|
251
253
|
es_version = get_es_version(url)
|
254
|
+
if es_version.nil?
|
255
|
+
logger.warn("Failed to retrieve Elasticsearch version data from connected endpoint, connection aborted", :url => url.sanitized.to_s)
|
256
|
+
next
|
257
|
+
end
|
252
258
|
@state_mutex.synchronize do
|
253
259
|
meta[:version] = es_version
|
254
260
|
set_last_es_version(es_version, url)
|
@@ -464,8 +470,12 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
|
|
464
470
|
end
|
465
471
|
|
466
472
|
def get_es_version(url)
|
467
|
-
|
468
|
-
|
473
|
+
response = perform_request_to_url(url, :get, ROOT_URI_PATH)
|
474
|
+
return nil unless (200..299).cover?(response.code)
|
475
|
+
|
476
|
+
response = LogStash::Json.load(response.body)
|
477
|
+
|
478
|
+
response.fetch('version', {}).fetch('number', nil)
|
469
479
|
end
|
470
480
|
|
471
481
|
def last_es_version
|
@@ -107,38 +107,55 @@ module LogStash; module Outputs; class ElasticSearch;
|
|
107
107
|
end
|
108
108
|
|
109
109
|
def self.setup_ssl(logger, params)
|
110
|
-
params["
|
111
|
-
return {} if params["
|
110
|
+
params["ssl_enabled"] = true if params["hosts"].any? {|h| h.scheme == "https" }
|
111
|
+
return {} if params["ssl_enabled"].nil?
|
112
112
|
|
113
|
-
return {:ssl => {:enabled => false}} if params["
|
113
|
+
return {:ssl => {:enabled => false}} if params["ssl_enabled"] == false
|
114
114
|
|
115
|
-
|
116
|
-
params.values_at('cacert', 'truststore', 'truststore_password', 'keystore', 'keystore_password')
|
115
|
+
ssl_certificate_authorities, ssl_truststore_path, ssl_certificate, ssl_keystore_path = params.values_at('ssl_certificate_authorities', 'ssl_truststore_path', 'ssl_certificate', 'ssl_keystore_path')
|
117
116
|
|
118
|
-
if
|
119
|
-
raise
|
117
|
+
if ssl_certificate_authorities && ssl_truststore_path
|
118
|
+
raise LogStash::ConfigurationError, 'Use either "ssl_certificate_authorities/cacert" or "ssl_truststore_path/truststore" when configuring the CA certificate'
|
119
|
+
end
|
120
|
+
|
121
|
+
if ssl_certificate && ssl_keystore_path
|
122
|
+
raise LogStash::ConfigurationError, 'Use either "ssl_certificate" or "ssl_keystore_path/keystore" when configuring client certificates'
|
120
123
|
end
|
121
124
|
|
122
125
|
ssl_options = {:enabled => true}
|
123
126
|
|
124
|
-
if
|
125
|
-
|
126
|
-
|
127
|
-
ssl_options[:truststore_password] = truststore_password.value if truststore_password
|
127
|
+
if ssl_certificate_authorities&.any?
|
128
|
+
raise LogStash::ConfigurationError, 'Multiple values on "ssl_certificate_authorities" are not supported by this plugin' if ssl_certificate_authorities.size > 1
|
129
|
+
ssl_options[:ca_file] = ssl_certificate_authorities.first
|
128
130
|
end
|
129
131
|
|
130
|
-
ssl_options
|
131
|
-
|
132
|
-
|
133
|
-
|
132
|
+
setup_ssl_store(ssl_options, 'truststore', params)
|
133
|
+
setup_ssl_store(ssl_options, 'keystore', params)
|
134
|
+
|
135
|
+
ssl_key = params["ssl_key"]
|
136
|
+
if ssl_certificate
|
137
|
+
raise LogStash::ConfigurationError, 'Using an "ssl_certificate" requires an "ssl_key"' unless ssl_key
|
138
|
+
ssl_options[:client_cert] = ssl_certificate
|
139
|
+
ssl_options[:client_key] = ssl_key
|
140
|
+
elsif !ssl_key.nil?
|
141
|
+
raise LogStash::ConfigurationError, 'An "ssl_certificate" is required when using an "ssl_key"'
|
134
142
|
end
|
135
143
|
|
136
|
-
|
137
|
-
|
138
|
-
|
139
|
-
|
144
|
+
ssl_verification_mode = params["ssl_verification_mode"]
|
145
|
+
unless ssl_verification_mode.nil?
|
146
|
+
case ssl_verification_mode
|
147
|
+
when 'none'
|
148
|
+
logger.warn "You have enabled encryption but DISABLED certificate verification, " +
|
149
|
+
"to make sure your data is secure set `ssl_verification_mode => full`"
|
150
|
+
ssl_options[:verify] = :disable
|
151
|
+
else
|
152
|
+
# Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier,
|
153
|
+
# which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier
|
154
|
+
ssl_options[:verify] = :default
|
155
|
+
end
|
140
156
|
end
|
141
157
|
|
158
|
+
ssl_options[:cipher_suites] = params["ssl_cipher_suites"] if params.include?("ssl_cipher_suites")
|
142
159
|
ssl_options[:trust_strategy] = params["ssl_trust_strategy"] if params.include?("ssl_trust_strategy")
|
143
160
|
|
144
161
|
protocols = params['ssl_supported_protocols']
|
@@ -147,6 +164,16 @@ module LogStash; module Outputs; class ElasticSearch;
|
|
147
164
|
{ ssl: ssl_options }
|
148
165
|
end
|
149
166
|
|
167
|
+
# @param kind is a string [truststore|keystore]
|
168
|
+
def self.setup_ssl_store(ssl_options, kind, params)
|
169
|
+
store_path = params["ssl_#{kind}_path"]
|
170
|
+
if store_path
|
171
|
+
ssl_options[kind.to_sym] = store_path
|
172
|
+
ssl_options["#{kind}_type".to_sym] = params["ssl_#{kind}_type"] if params.include?("ssl_#{kind}_type")
|
173
|
+
ssl_options["#{kind}_password".to_sym] = params["ssl_#{kind}_password"].value if params.include?("ssl_#{kind}_password")
|
174
|
+
end
|
175
|
+
end
|
176
|
+
|
150
177
|
def self.setup_basic_auth(logger, params)
|
151
178
|
user, password = params["user"], params["password"]
|
152
179
|
|
@@ -46,15 +46,38 @@ module LogStash; module Outputs; class ElasticSearch
|
|
46
46
|
# definition - remove any existing definition of 'template'
|
47
47
|
template.delete('template') if template.include?('template') if plugin.maximum_seen_major_version < 8
|
48
48
|
template['index_patterns'] = "#{plugin.ilm_rollover_alias}-*"
|
49
|
-
settings =
|
49
|
+
settings = resolve_template_settings(plugin, template)
|
50
50
|
if settings && (settings['index.lifecycle.name'] || settings['index.lifecycle.rollover_alias'])
|
51
51
|
plugin.logger.info("Overwriting index lifecycle name and rollover alias as ILM is enabled")
|
52
52
|
end
|
53
53
|
settings.update({ 'index.lifecycle.name' => plugin.ilm_policy, 'index.lifecycle.rollover_alias' => plugin.ilm_rollover_alias})
|
54
54
|
end
|
55
55
|
|
56
|
-
def self.
|
57
|
-
|
56
|
+
def self.resolve_template_settings(plugin, template)
|
57
|
+
if template.key?('template')
|
58
|
+
plugin.logger.trace("Resolving ILM template settings: under 'template' key", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version)
|
59
|
+
composable_index_template_settings(template)
|
60
|
+
elsif template.key?('settings')
|
61
|
+
plugin.logger.trace("Resolving ILM template settings: under 'settings' key", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version)
|
62
|
+
legacy_index_template_settings(template)
|
63
|
+
else
|
64
|
+
template_endpoint = template_endpoint(plugin)
|
65
|
+
plugin.logger.trace("Resolving ILM template settings: template doesn't have 'settings' or 'template' fields, falling back to auto detection", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version, :template_endpoint => template_endpoint)
|
66
|
+
template_endpoint == INDEX_TEMPLATE_ENDPOINT ?
|
67
|
+
composable_index_template_settings(template) :
|
68
|
+
legacy_index_template_settings(template)
|
69
|
+
end
|
70
|
+
end
|
71
|
+
|
72
|
+
# Sets ['settings'] field to be compatible with _template API structure
|
73
|
+
def self.legacy_index_template_settings(template)
|
74
|
+
template['settings'] ||= {}
|
75
|
+
end
|
76
|
+
|
77
|
+
# Sets the ['template']['settings'] fields if not exist to be compatible with _index_template API structure
|
78
|
+
def self.composable_index_template_settings(template)
|
79
|
+
template['template'] ||= {}
|
80
|
+
template['template']['settings'] ||= {}
|
58
81
|
end
|
59
82
|
|
60
83
|
# Template name - if template_name set, use it
|