logstash-output-elasticsearch 11.12.4-java → 11.15.9-java

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: a912267d383b51082d4c1b68e21d83dcb506433abc4f3f12bce0465eef84f439
4
- data.tar.gz: dc69623c94ad47986ed07f25818eeabfbfdd49532dfd9970f8c638dfe950f615
3
+ metadata.gz: c9e537b9f31644ce80834b295b99d22566863f666ab319efc34f641c15018d74
4
+ data.tar.gz: a99f63dd55f4b0a12e597e812db124dd9a7fe82ce1a5e7af4057992f903eac65
5
5
  SHA512:
6
- metadata.gz: 99568149dc8d313460046ca2e247c43e2e505e6649441a22a365e0d5484ba493d5d91c4eedfb5700fc447f64122555db3b92d6b59513a6b42e07dcc43dda3ada
7
- data.tar.gz: 56d2ce9c942f2dffbfc850f8feec0368dc2456ee08f7d7f46b83de94f9439fdd9047a1bae9231cc41caf45105a1abda0d1e60429a37059709f337e5ea8f8b6e4
6
+ metadata.gz: 12fa3b203130210b5d274364ff97e31bfb01aaedd23ac22fc53fea1626cad628d3f33e952dcf12555fc4860d7577235684e255550dfc7668d9dc93d7e6bf55ff
7
+ data.tar.gz: 50ca989af2afc85f439995c6dde9c7eeda56924c9d9729ef91426b34dc99146fadecf3e290dc7e122113bb2cbf50bdc1eeac22f8448d2d4373b0d251660fb6a7
data/CHANGELOG.md CHANGED
@@ -1,3 +1,61 @@
1
+ ## 11.15.9
2
+ - allow dlq_ settings when using data streams [#1144](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1144)
3
+
4
+ ## 11.15.8
5
+ - Fixes a regression introduced in 11.14.0 which could prevent Logstash 8.8 from establishing a connection to Elasticsearch for Central Management and Monitoring core features [#1141](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/1141)
6
+
7
+ ## 11.15.7
8
+ - Fixes a regression introduced in 11.14.0 which could prevent a connection from being established to Elasticsearch in some SSL configurations [#1138](https://github.com/logstash-plugins/logstash-output-elasticsearch/issues/1138)
9
+
10
+ ## 11.15.6
11
+ - Fix: avoid to reject a batch when the Elasticsearch connection is alive and the processing should continue [#1132](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1132).
12
+
13
+ ## 11.15.5
14
+ - Fixes `undefined 'shutdown_requested' method` error when plugin checks if shutdown request is received [#1134](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1134)
15
+
16
+ ## 11.15.4
17
+ - Improved connection handling under several partial-failure scenarios [#1130](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1130)
18
+ - Ensures an HTTP connection can be established before adding the connection to the pool
19
+ - Ensures that the version of the connected Elasticsearch is retrieved _successfully_ before the connection is added to the pool.
20
+ - Fixes a crash that could occur when the plugin is configured to connect to a live HTTP resource that is _not_ Elasticsearch
21
+
22
+ ## 11.15.3
23
+ - Removes the ECS v8 unreleased preview warning [#1131](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1131)
24
+
25
+ ## 11.15.2
26
+ - Restores DLQ logging behavior from 11.8.x to include the action-tuple as structured [#1105](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1105)
27
+
28
+ ## 11.15.1
29
+ - Move async finish_register to bottom of register to avoid race condition [#1125](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1125)
30
+
31
+ ## 11.15.0
32
+ - Added the ability to negatively acknowledge the batch under processing if the plugin is blocked in a retry-error-loop and a shutdown is requested. [#1119](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1119)
33
+
34
+ ## 11.14.1
35
+ - [DOC] Fixed incorrect pull request link on the CHANGELOG `11.14.0` entry [#1122](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1122)
36
+
37
+ ## 11.14.0
38
+ - Added SSL settings for: [#1118](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1118)
39
+ - `ssl_truststore_type`: The format of the truststore file
40
+ - `ssl_keystore_type`: The format of the keystore file
41
+ - `ssl_certificate`: OpenSSL-style X.509 certificate file to authenticate the client
42
+ - `ssl_key`: OpenSSL-style RSA private key that corresponds to the `ssl_certificate`
43
+ - `ssl_cipher_suites`: The list of cipher suites
44
+ - Reviewed and deprecated SSL settings to comply with Logstash's naming convention
45
+ - Deprecated `ssl` in favor of `ssl_enabled`
46
+ - Deprecated `cacert` in favor of `ssl_certificate_authorities`
47
+ - Deprecated `keystore` in favor of `ssl_keystore_path`
48
+ - Deprecated `keystore_password` in favor of `ssl_keystore_password`
49
+ - Deprecated `truststore` in favor of `ssl_truststore_path`
50
+ - Deprecated `truststore_password` in favor of `ssl_truststore_password`
51
+ - Deprecated `ssl_certificate_verification` in favor of `ssl_verification_mode`
52
+
53
+ ## 11.13.1
54
+ - Avoid crash by ensuring ILM settings are injected in the correct location depending on the default (or custom) template format, template_api setting and ES version [#1102](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1102)
55
+
56
+ ## 11.13.0
57
+ - add technology preview support for allowing events to individually encode a default pipeline with `[@metadata][target_ingest_pipeline]` (as part of a technology preview, this feature may change without notice) [#1113](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1113)
58
+
1
59
  ## 11.12.4
2
60
  - Changed the `manage_template` default value to `false` when data streams is enabled [#1111](https://github.com/logstash-plugins/logstash-output-elasticsearch/pull/1111)
3
61
  - Added the `manage_template => false` as a valid data stream option
data/docs/index.asciidoc CHANGED
@@ -299,7 +299,7 @@ checks.
299
299
  ==== Elasticsearch Output Configuration Options
300
300
 
301
301
  This plugin supports the following configuration options plus the
302
- <<plugins-{type}s-{plugin}-common-options>> described later.
302
+ <<plugins-{type}s-{plugin}-common-options>> and the <<plugins-{type}s-{plugin}-deprecated-options>> described later.
303
303
 
304
304
  [cols="<,<,<",options="header",]
305
305
  |=======================================================================
@@ -307,7 +307,6 @@ This plugin supports the following configuration options plus the
307
307
  | <<plugins-{type}s-{plugin}-action>> |<<string,string>>|No
308
308
  | <<plugins-{type}s-{plugin}-api_key>> |<<password,password>>|No
309
309
  | <<plugins-{type}s-{plugin}-bulk_path>> |<<string,string>>|No
310
- | <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|No
311
310
  | <<plugins-{type}s-{plugin}-ca_trusted_fingerprint>> |<<string,string>>|No
312
311
  | <<plugins-{type}s-{plugin}-cloud_auth>> |<<password,password>>|No
313
312
  | <<plugins-{type}s-{plugin}-cloud_id>> |<<string,string>>|No
@@ -333,8 +332,6 @@ This plugin supports the following configuration options plus the
333
332
  | <<plugins-{type}s-{plugin}-ilm_policy>> |<<string,string>>|No
334
333
  | <<plugins-{type}s-{plugin}-ilm_rollover_alias>> |<<string,string>>|No
335
334
  | <<plugins-{type}s-{plugin}-index>> |<<string,string>>|No
336
- | <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|No
337
- | <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|No
338
335
  | <<plugins-{type}s-{plugin}-silence_errors_in_log>> |<<array,array>>|No
339
336
  | <<plugins-{type}s-{plugin}-manage_template>> |<<boolean,boolean>>|No
340
337
  | <<plugins-{type}s-{plugin}-parameters>> |<<hash,hash>>|No
@@ -358,16 +355,24 @@ This plugin supports the following configuration options plus the
358
355
  | <<plugins-{type}s-{plugin}-sniffing>> |<<boolean,boolean>>|No
359
356
  | <<plugins-{type}s-{plugin}-sniffing_delay>> |<<number,number>>|No
360
357
  | <<plugins-{type}s-{plugin}-sniffing_path>> |<<string,string>>|No
361
- | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|No
362
- | <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|No
358
+ | <<plugins-{type}s-{plugin}-ssl_certificate>> |<<path,path>>|No
359
+ | <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> |list of <<path,path>>|No
360
+ | <<plugins-{type}s-{plugin}-ssl_cipher_suites>> |list of <<string,string>>|No
361
+ | <<plugins-{type}s-{plugin}-ssl_enabled>> |<<boolean,boolean>>|No
362
+ | <<plugins-{type}s-{plugin}-ssl_key>> |<<path,path>>|No
363
+ | <<plugins-{type}s-{plugin}-ssl_keystore_password>> |<<password,password>>|No
364
+ | <<plugins-{type}s-{plugin}-ssl_keystore_path>> |<<path,path>>|No
365
+ | <<plugins-{type}s-{plugin}-ssl_keystore_type>> |<<string,string>>|No
363
366
  | <<plugins-{type}s-{plugin}-ssl_supported_protocols>> |<<string,string>>|No
367
+ | <<plugins-{type}s-{plugin}-ssl_truststore_password>> |<<password,password>>|No
368
+ | <<plugins-{type}s-{plugin}-ssl_truststore_path>> |<<path,path>>|No
369
+ | <<plugins-{type}s-{plugin}-ssl_truststore_type>> |<<string,string>>|No
370
+ | <<plugins-{type}s-{plugin}-ssl_verification_mode>> |<<string,string>>, one of `["full", "none"]`|No
364
371
  | <<plugins-{type}s-{plugin}-template>> |a valid filesystem path|No
365
372
  | <<plugins-{type}s-{plugin}-template_api>> |<<string,string>>, one of `["auto", "legacy", "composable"]`|No
366
373
  | <<plugins-{type}s-{plugin}-template_name>> |<<string,string>>|No
367
374
  | <<plugins-{type}s-{plugin}-template_overwrite>> |<<boolean,boolean>>|No
368
375
  | <<plugins-{type}s-{plugin}-timeout>> |<<number,number>>|No
369
- | <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|No
370
- | <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|No
371
376
  | <<plugins-{type}s-{plugin}-upsert>> |<<string,string>>|No
372
377
  | <<plugins-{type}s-{plugin}-user>> |<<string,string>>|No
373
378
  | <<plugins-{type}s-{plugin}-validate_after_inactivity>> |<<number,number>>|No
@@ -408,7 +413,7 @@ For more details on actions, check out the {ref}/docs-bulk.html[Elasticsearch bu
408
413
  * There is no default value for this setting.
409
414
 
410
415
  Authenticate using Elasticsearch API key.
411
- Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`ssl => true`>>.
416
+ Note that this option also requires SSL/TLS, which can be enabled by supplying a <<plugins-{type}s-{plugin}-cloud_id>>, a list of HTTPS <<plugins-{type}s-{plugin}-hosts>>, or by setting <<plugins-{type}s-{plugin}-ssl,`ssl_enabled => true`>>.
412
417
 
413
418
  Format is `id:api_key` where `id` and `api_key` are as returned by the
414
419
  Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
@@ -422,14 +427,6 @@ Elasticsearch {ref}/security-api-create-api-key.html[Create API key API].
422
427
  HTTP Path to perform the _bulk requests to
423
428
  this defaults to a concatenation of the path parameter and "_bulk"
424
429
 
425
- [id="plugins-{type}s-{plugin}-cacert"]
426
- ===== `cacert`
427
-
428
- * Value type is <<path,path>>
429
- * There is no default value for this setting.
430
-
431
- The .cer or .pem file to validate the server's certificate.
432
-
433
430
  [id="plugins-{type}s-{plugin}-ca_trusted_fingerprint"]
434
431
  ===== `ca_trusted_fingerprint`
435
432
 
@@ -769,23 +766,6 @@ Logstash uses
769
766
  http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html[Joda
770
767
  formats] and the `@timestamp` field of each event is being used as source for the date.
771
768
 
772
- [id="plugins-{type}s-{plugin}-keystore"]
773
- ===== `keystore`
774
-
775
- * Value type is <<path,path>>
776
- * There is no default value for this setting.
777
-
778
- The keystore used to present a certificate to the server.
779
- It can be either .jks or .p12
780
-
781
- [id="plugins-{type}s-{plugin}-keystore_password"]
782
- ===== `keystore_password`
783
-
784
- * Value type is <<password,password>>
785
- * There is no default value for this setting.
786
-
787
- Set the keystore password
788
-
789
769
  [id="plugins-{type}s-{plugin}-manage_template"]
790
770
  ===== `manage_template`
791
771
 
@@ -849,12 +829,11 @@ not also set this field. That will raise an error at startup
849
829
  ===== `pipeline`
850
830
 
851
831
  * Value type is <<string,string>>
852
- * Default value is `nil`
832
+ * There is no default value.
853
833
 
854
834
  Set which ingest pipeline you wish to execute for an event. You can also use
855
- event dependent configuration here like `pipeline =>
856
- "%{[@metadata][pipeline]}"`. The pipeline parameter won't be set if the value
857
- resolves to empty string ("").
835
+ event dependent configuration here like `pipeline => "%{[@metadata][pipeline]}"`.
836
+ The pipeline parameter won't be set if the value resolves to empty string ("").
858
837
 
859
838
  [id="plugins-{type}s-{plugin}-pool_max"]
860
839
  ===== `pool_max`
@@ -1035,8 +1014,35 @@ the default value is computed by concatenating the path value and "_nodes/http"
1035
1014
  if sniffing_path is set it will be used as an absolute path
1036
1015
  do not use full URL here, only paths, e.g. "/sniff/_nodes/http"
1037
1016
 
1038
- [id="plugins-{type}s-{plugin}-ssl"]
1039
- ===== `ssl`
1017
+ [id="plugins-{type}s-{plugin}-ssl_certificate"]
1018
+ ===== `ssl_certificate`
1019
+ * Value type is <<path,path>>
1020
+ * There is no default value for this setting.
1021
+
1022
+ SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
1023
+
1024
+ NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_key>> is set.
1025
+
1026
+ [id="plugins-{type}s-{plugin}-ssl_certificate_authorities"]
1027
+ ===== `ssl_certificate_authorities`
1028
+
1029
+ * Value type is a list of <<path,path>>
1030
+ * There is no default value for this setting
1031
+
1032
+ The .cer or .pem files to validate the server's certificate.
1033
+
1034
+ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_truststore_path>> at the same time.
1035
+
1036
+ [id="plugins-{type}s-{plugin}-ssl_cipher_suites"]
1037
+ ===== `ssl_cipher_suites`
1038
+ * Value type is a list of <<string,string>>
1039
+ * There is no default value for this setting
1040
+
1041
+ The list of cipher suites to use, listed by priorities.
1042
+ Supported cipher suites vary depending on the Java and protocol versions.
1043
+
1044
+ [id="plugins-{type}s-{plugin}-ssl_enabled"]
1045
+ ===== `ssl_enabled`
1040
1046
 
1041
1047
  * Value type is <<boolean,boolean>>
1042
1048
  * There is no default value for this setting.
@@ -1045,15 +1051,41 @@ Enable SSL/TLS secured communication to Elasticsearch cluster.
1045
1051
  Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
1046
1052
  If no explicit protocol is specified plain HTTP will be used.
1047
1053
 
1048
- [id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
1049
- ===== `ssl_certificate_verification`
1054
+ [id="plugins-{type}s-{plugin}-ssl_key"]
1055
+ ===== `ssl_key`
1056
+ * Value type is <<path,path>>
1057
+ * There is no default value for this setting.
1050
1058
 
1051
- * Value type is <<boolean,boolean>>
1052
- * Default value is `true`
1059
+ OpenSSL-style RSA private key that corresponds to the <<plugins-{type}s-{plugin}-ssl_certificate>>.
1053
1060
 
1054
- Option to validate the server's certificate. Disabling this severely compromises security.
1055
- For more information on disabling certificate verification please read
1056
- https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
1061
+ NOTE: This setting can be used only if <<plugins-{type}s-{plugin}-ssl_certificate>> is set.
1062
+
1063
+ [id="plugins-{type}s-{plugin}-ssl_keystore_password"]
1064
+ ===== `ssl_keystore_password`
1065
+
1066
+ * Value type is <<password,password>>
1067
+ * There is no default value for this setting.
1068
+
1069
+ Set the keystore password
1070
+
1071
+ [id="plugins-{type}s-{plugin}-ssl_keystore_path"]
1072
+ ===== `ssl_keystore_path`
1073
+
1074
+ * Value type is <<path,path>>
1075
+ * There is no default value for this setting.
1076
+
1077
+ The keystore used to present a certificate to the server.
1078
+ It can be either `.jks` or `.p12`
1079
+
1080
+ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
1081
+
1082
+ [id="plugins-{type}s-{plugin}-ssl_keystore_type"]
1083
+ ===== `ssl_keystore_type`
1084
+
1085
+ * Value can be any of: `jks`, `pkcs12`
1086
+ * If not provided, the value will be inferred from the keystore filename.
1087
+
1088
+ The format of the keystore file. It must be either `jks` or `pkcs12`.
1057
1089
 
1058
1090
  [id="plugins-{type}s-{plugin}-ssl_supported_protocols"]
1059
1091
  ===== `ssl_supported_protocols`
@@ -1065,13 +1097,56 @@ https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
1065
1097
 
1066
1098
  List of allowed SSL/TLS versions to use when establishing a connection to the Elasticsearch cluster.
1067
1099
 
1068
- For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
1100
+ For Java 8 `'TLSv1.3'` is supported only since **8u262** (AdoptOpenJDK), but requires that you set the
1069
1101
  `LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"` system property in Logstash.
1070
1102
 
1071
1103
  NOTE: If you configure the plugin to use `'TLSv1.1'` on any recent JVM, such as the one packaged with Logstash,
1072
1104
  the protocol is disabled by default and needs to be enabled manually by changing `jdk.tls.disabledAlgorithms` in
1073
1105
  the *$JDK_HOME/conf/security/java.security* configuration file. That is, `TLSv1.1` needs to be removed from the list.
1074
1106
 
1107
+ [id="plugins-{type}s-{plugin}-ssl_truststore_password"]
1108
+ ===== `ssl_truststore_password`
1109
+
1110
+ * Value type is <<password,password>>
1111
+ * There is no default value for this setting.
1112
+
1113
+ Set the truststore password
1114
+
1115
+ [id="plugins-{type}s-{plugin}-ssl_truststore_path"]
1116
+ ===== `ssl_truststore_path`
1117
+
1118
+ * Value type is <<path,path>>
1119
+ * There is no default value for this setting.
1120
+
1121
+ The truststore to validate the server's certificate.
1122
+ It can be either `.jks` or `.p12`.
1123
+
1124
+ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate_authorities>> at the same time.
1125
+
1126
+ [id="plugins-{type}s-{plugin}-ssl_truststore_type"]
1127
+ ===== `ssl_truststore_type`
1128
+
1129
+ * Value can be any of: `jks`, `pkcs12`
1130
+ * If not provided, the value will be inferred from the truststore filename.
1131
+
1132
+ The format of the truststore file. It must be either `jks` or `pkcs12`.
1133
+
1134
+ [id="plugins-{type}s-{plugin}-ssl_verification_mode"]
1135
+ ===== `ssl_verification_mode`
1136
+
1137
+ * Value can be any of: `full`, `none`
1138
+ * Default value is `full`
1139
+
1140
+ Defines how to verify the certificates presented by another party in the TLS connection:
1141
+
1142
+ `full` validates that the server certificate has an issue date that’s within
1143
+ the not_before and not_after dates; chains to a trusted Certificate Authority (CA), and
1144
+ has a hostname or IP address that matches the names within the certificate.
1145
+
1146
+ `none` performs no certificate validation.
1147
+
1148
+ WARNING: Setting certificate verification to `none` disables many security benefits of SSL/TLS, which is very dangerous. For more information on disabling certificate verification please read https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
1149
+
1075
1150
  [id="plugins-{type}s-{plugin}-template"]
1076
1151
  ===== `template`
1077
1152
 
@@ -1140,24 +1215,6 @@ the "logstash" template (i.e. removing all customized settings)
1140
1215
  Set the timeout, in seconds, for network operations and requests sent Elasticsearch. If
1141
1216
  a timeout occurs, the request will be retried.
1142
1217
 
1143
- [id="plugins-{type}s-{plugin}-truststore"]
1144
- ===== `truststore`
1145
-
1146
- * Value type is <<path,path>>
1147
- * There is no default value for this setting.
1148
-
1149
- The truststore to validate the server's certificate.
1150
- It can be either .jks or .p12.
1151
- Use either `:truststore` or `:cacert`.
1152
-
1153
- [id="plugins-{type}s-{plugin}-truststore_password"]
1154
- ===== `truststore_password`
1155
-
1156
- * Value type is <<password,password>>
1157
- * There is no default value for this setting.
1158
-
1159
- Set the truststore password
1160
-
1161
1218
  [id="plugins-{type}s-{plugin}-upsert"]
1162
1219
  ===== `upsert`
1163
1220
 
@@ -1214,6 +1271,97 @@ https://www.elastic.co/blog/elasticsearch-versioning-support[versioning support
1214
1271
  blog] and {ref}/docs-index_.html#_version_types[Version types] in the
1215
1272
  Elasticsearch documentation.
1216
1273
 
1274
+ [id="plugins-{type}s-{plugin}-deprecated-options"]
1275
+ ==== Elasticsearch Output Deprecated Configuration Options
1276
+
1277
+ This plugin supports the following deprecated configurations.
1278
+
1279
+ WARNING: Deprecated options are subject to removal in future releases.
1280
+
1281
+ [cols="<,<,<",options="header",]
1282
+ |=======================================================================
1283
+ |Setting|Input type|Replaced by
1284
+ | <<plugins-{type}s-{plugin}-cacert>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_certificate_authorities>>
1285
+ | <<plugins-{type}s-{plugin}-keystore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_keystore_path>>
1286
+ | <<plugins-{type}s-{plugin}-keystore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_keystore_password>>
1287
+ | <<plugins-{type}s-{plugin}-ssl>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_enabled>>
1288
+ | <<plugins-{type}s-{plugin}-ssl_certificate_verification>> |<<boolean,boolean>>|<<plugins-{type}s-{plugin}-ssl_verification_mode>>
1289
+ | <<plugins-{type}s-{plugin}-truststore>> |a valid filesystem path|<<plugins-{type}s-{plugin}-ssl_truststore_path>>
1290
+ | <<plugins-{type}s-{plugin}-truststore_password>> |<<password,password>>|<<plugins-{type}s-{plugin}-ssl_truststore_password>>
1291
+ |=======================================================================
1292
+
1293
+
1294
+ [id="plugins-{type}s-{plugin}-cacert"]
1295
+ ===== `cacert`
1296
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_certificate_authorities>>]
1297
+
1298
+ * Value type is a list of <<path,path>>
1299
+ * There is no default value for this setting.
1300
+
1301
+ The .cer or .pem file to validate the server's certificate.
1302
+
1303
+ [id="plugins-{type}s-{plugin}-keystore"]
1304
+ ===== `keystore`
1305
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_path>>]
1306
+
1307
+ * Value type is <<path,path>>
1308
+ * There is no default value for this setting.
1309
+
1310
+ The keystore used to present a certificate to the server.
1311
+ It can be either .jks or .p12
1312
+
1313
+ NOTE: You cannot use this setting and <<plugins-{type}s-{plugin}-ssl_certificate>> at the same time.
1314
+
1315
+ [id="plugins-{type}s-{plugin}-keystore_password"]
1316
+ ===== `keystore_password`
1317
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_keystore_password>>]
1318
+
1319
+ * Value type is <<password,password>>
1320
+ * There is no default value for this setting.
1321
+
1322
+ Set the keystore password
1323
+
1324
+ [id="plugins-{type}s-{plugin}-ssl"]
1325
+ ===== `ssl`
1326
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_enabled>>]
1327
+
1328
+ * Value type is <<boolean,boolean>>
1329
+ * There is no default value for this setting.
1330
+
1331
+ Enable SSL/TLS secured communication to Elasticsearch cluster.
1332
+ Leaving this unspecified will use whatever scheme is specified in the URLs listed in <<plugins-{type}s-{plugin}-hosts>> or extracted from the <<plugins-{type}s-{plugin}-cloud_id>>.
1333
+ If no explicit protocol is specified plain HTTP will be used.
1334
+
1335
+ [id="plugins-{type}s-{plugin}-ssl_certificate_verification"]
1336
+ ===== `ssl_certificate_verification`
1337
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_verification_mode>>]
1338
+
1339
+ * Value type is <<boolean,boolean>>
1340
+ * Default value is `true`
1341
+
1342
+ Option to validate the server's certificate. Disabling this severely compromises security.
1343
+ For more information on disabling certificate verification please read
1344
+ https://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf
1345
+
1346
+ [id="plugins-{type}s-{plugin}-truststore"]
1347
+ ===== `truststore`
1348
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_path>>]
1349
+
1350
+ * Value type is <<path,path>>
1351
+ * There is no default value for this setting.
1352
+
1353
+ The truststore to validate the server's certificate.
1354
+ It can be either `.jks` or `.p12`.
1355
+ Use either `:truststore` or `:cacert`.
1356
+
1357
+ [id="plugins-{type}s-{plugin}-truststore_password"]
1358
+ ===== `truststore_password`
1359
+ deprecated[11.14.0, Replaced by <<plugins-{type}s-{plugin}-ssl_truststore_password>>]
1360
+
1361
+ * Value type is <<password,password>>
1362
+ * There is no default value for this setting.
1363
+
1364
+ Set the truststore password
1217
1365
 
1218
1366
  [id="plugins-{type}s-{plugin}-common-options"]
1219
1367
  include::{include_path}/{type}.asciidoc[]
@@ -229,14 +229,16 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
229
229
  end
230
230
 
231
231
  def health_check_request(url)
232
- logger.debug("Running health check to see if an ES connection is working", url: url.sanitized.to_s, path: @healthcheck_path)
233
- perform_request_to_url(url, :head, @healthcheck_path)
232
+ response = perform_request_to_url(url, :head, @healthcheck_path)
233
+ raise BadResponseCodeError.new(response.code, url, nil, response.body) unless (200..299).cover?(response.code)
234
234
  end
235
235
 
236
236
  def healthcheck!(register_phase = true)
237
237
  # Try to keep locking granularity low such that we don't affect IO...
238
238
  @state_mutex.synchronize { @url_info.select {|url,meta| meta[:state] != :alive } }.each do |url,meta|
239
239
  begin
240
+ logger.debug("Running health check to see if an Elasticsearch connection is working",
241
+ :healthcheck_url => url.sanitized.to_s, :path => @healthcheck_path)
240
242
  health_check_request(url)
241
243
 
242
244
  # when called from resurrectionist skip the product check done during register phase
@@ -249,6 +251,10 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
249
251
  logger.warn("Restored connection to ES instance", url: url.sanitized.to_s)
250
252
  # We reconnected to this node, check its ES version
251
253
  es_version = get_es_version(url)
254
+ if es_version.nil?
255
+ logger.warn("Failed to retrieve Elasticsearch version data from connected endpoint, connection aborted", :url => url.sanitized.to_s)
256
+ next
257
+ end
252
258
  @state_mutex.synchronize do
253
259
  meta[:version] = es_version
254
260
  set_last_es_version(es_version, url)
@@ -464,8 +470,12 @@ module LogStash; module Outputs; class ElasticSearch; class HttpClient;
464
470
  end
465
471
 
466
472
  def get_es_version(url)
467
- request = perform_request_to_url(url, :get, ROOT_URI_PATH)
468
- LogStash::Json.load(request.body)["version"]["number"] # e.g. "7.10.0"
473
+ response = perform_request_to_url(url, :get, ROOT_URI_PATH)
474
+ return nil unless (200..299).cover?(response.code)
475
+
476
+ response = LogStash::Json.load(response.body)
477
+
478
+ response.fetch('version', {}).fetch('number', nil)
469
479
  end
470
480
 
471
481
  def last_es_version
@@ -107,38 +107,55 @@ module LogStash; module Outputs; class ElasticSearch;
107
107
  end
108
108
 
109
109
  def self.setup_ssl(logger, params)
110
- params["ssl"] = true if params["hosts"].any? {|h| h.scheme == "https" }
111
- return {} if params["ssl"].nil?
110
+ params["ssl_enabled"] = true if params["hosts"].any? {|h| h.scheme == "https" }
111
+ return {} if params["ssl_enabled"].nil?
112
112
 
113
- return {:ssl => {:enabled => false}} if params["ssl"] == false
113
+ return {:ssl => {:enabled => false}} if params["ssl_enabled"] == false
114
114
 
115
- cacert, truststore, truststore_password, keystore, keystore_password =
116
- params.values_at('cacert', 'truststore', 'truststore_password', 'keystore', 'keystore_password')
115
+ ssl_certificate_authorities, ssl_truststore_path, ssl_certificate, ssl_keystore_path = params.values_at('ssl_certificate_authorities', 'ssl_truststore_path', 'ssl_certificate', 'ssl_keystore_path')
117
116
 
118
- if cacert && truststore
119
- raise(LogStash::ConfigurationError, "Use either \"cacert\" or \"truststore\" when configuring the CA certificate") if truststore
117
+ if ssl_certificate_authorities && ssl_truststore_path
118
+ raise LogStash::ConfigurationError, 'Use either "ssl_certificate_authorities/cacert" or "ssl_truststore_path/truststore" when configuring the CA certificate'
119
+ end
120
+
121
+ if ssl_certificate && ssl_keystore_path
122
+ raise LogStash::ConfigurationError, 'Use either "ssl_certificate" or "ssl_keystore_path/keystore" when configuring client certificates'
120
123
  end
121
124
 
122
125
  ssl_options = {:enabled => true}
123
126
 
124
- if cacert
125
- ssl_options[:ca_file] = cacert
126
- elsif truststore
127
- ssl_options[:truststore_password] = truststore_password.value if truststore_password
127
+ if ssl_certificate_authorities&.any?
128
+ raise LogStash::ConfigurationError, 'Multiple values on "ssl_certificate_authorities" are not supported by this plugin' if ssl_certificate_authorities.size > 1
129
+ ssl_options[:ca_file] = ssl_certificate_authorities.first
128
130
  end
129
131
 
130
- ssl_options[:truststore] = truststore if truststore
131
- if keystore
132
- ssl_options[:keystore] = keystore
133
- ssl_options[:keystore_password] = keystore_password.value if keystore_password
132
+ setup_ssl_store(ssl_options, 'truststore', params)
133
+ setup_ssl_store(ssl_options, 'keystore', params)
134
+
135
+ ssl_key = params["ssl_key"]
136
+ if ssl_certificate
137
+ raise LogStash::ConfigurationError, 'Using an "ssl_certificate" requires an "ssl_key"' unless ssl_key
138
+ ssl_options[:client_cert] = ssl_certificate
139
+ ssl_options[:client_key] = ssl_key
140
+ elsif !ssl_key.nil?
141
+ raise LogStash::ConfigurationError, 'An "ssl_certificate" is required when using an "ssl_key"'
134
142
  end
135
143
 
136
- if !params["ssl_certificate_verification"]
137
- logger.warn "You have enabled encryption but DISABLED certificate verification, " +
138
- "to make sure your data is secure remove `ssl_certificate_verification => false`"
139
- ssl_options[:verify] = :disable # false accepts self-signed but still validates hostname
144
+ ssl_verification_mode = params["ssl_verification_mode"]
145
+ unless ssl_verification_mode.nil?
146
+ case ssl_verification_mode
147
+ when 'none'
148
+ logger.warn "You have enabled encryption but DISABLED certificate verification, " +
149
+ "to make sure your data is secure set `ssl_verification_mode => full`"
150
+ ssl_options[:verify] = :disable
151
+ else
152
+ # Manticore's :default maps to Apache HTTP Client's DefaultHostnameVerifier,
153
+ # which is the modern STRICT verifier that replaces the deprecated StrictHostnameVerifier
154
+ ssl_options[:verify] = :default
155
+ end
140
156
  end
141
157
 
158
+ ssl_options[:cipher_suites] = params["ssl_cipher_suites"] if params.include?("ssl_cipher_suites")
142
159
  ssl_options[:trust_strategy] = params["ssl_trust_strategy"] if params.include?("ssl_trust_strategy")
143
160
 
144
161
  protocols = params['ssl_supported_protocols']
@@ -147,6 +164,16 @@ module LogStash; module Outputs; class ElasticSearch;
147
164
  { ssl: ssl_options }
148
165
  end
149
166
 
167
+ # @param kind is a string [truststore|keystore]
168
+ def self.setup_ssl_store(ssl_options, kind, params)
169
+ store_path = params["ssl_#{kind}_path"]
170
+ if store_path
171
+ ssl_options[kind.to_sym] = store_path
172
+ ssl_options["#{kind}_type".to_sym] = params["ssl_#{kind}_type"] if params.include?("ssl_#{kind}_type")
173
+ ssl_options["#{kind}_password".to_sym] = params["ssl_#{kind}_password"].value if params.include?("ssl_#{kind}_password")
174
+ end
175
+ end
176
+
150
177
  def self.setup_basic_auth(logger, params)
151
178
  user, password = params["user"], params["password"]
152
179
 
@@ -46,15 +46,38 @@ module LogStash; module Outputs; class ElasticSearch
46
46
  # definition - remove any existing definition of 'template'
47
47
  template.delete('template') if template.include?('template') if plugin.maximum_seen_major_version < 8
48
48
  template['index_patterns'] = "#{plugin.ilm_rollover_alias}-*"
49
- settings = template_settings(plugin, template)
49
+ settings = resolve_template_settings(plugin, template)
50
50
  if settings && (settings['index.lifecycle.name'] || settings['index.lifecycle.rollover_alias'])
51
51
  plugin.logger.info("Overwriting index lifecycle name and rollover alias as ILM is enabled")
52
52
  end
53
53
  settings.update({ 'index.lifecycle.name' => plugin.ilm_policy, 'index.lifecycle.rollover_alias' => plugin.ilm_rollover_alias})
54
54
  end
55
55
 
56
- def self.template_settings(plugin, template)
57
- plugin.maximum_seen_major_version < 8 ? template['settings']: template['template']['settings']
56
+ def self.resolve_template_settings(plugin, template)
57
+ if template.key?('template')
58
+ plugin.logger.trace("Resolving ILM template settings: under 'template' key", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version)
59
+ composable_index_template_settings(template)
60
+ elsif template.key?('settings')
61
+ plugin.logger.trace("Resolving ILM template settings: under 'settings' key", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version)
62
+ legacy_index_template_settings(template)
63
+ else
64
+ template_endpoint = template_endpoint(plugin)
65
+ plugin.logger.trace("Resolving ILM template settings: template doesn't have 'settings' or 'template' fields, falling back to auto detection", :template => template, :template_api => plugin.template_api, :es_version => plugin.maximum_seen_major_version, :template_endpoint => template_endpoint)
66
+ template_endpoint == INDEX_TEMPLATE_ENDPOINT ?
67
+ composable_index_template_settings(template) :
68
+ legacy_index_template_settings(template)
69
+ end
70
+ end
71
+
72
+ # Sets ['settings'] field to be compatible with _template API structure
73
+ def self.legacy_index_template_settings(template)
74
+ template['settings'] ||= {}
75
+ end
76
+
77
+ # Sets the ['template']['settings'] fields if not exist to be compatible with _index_template API structure
78
+ def self.composable_index_template_settings(template)
79
+ template['template'] ||= {}
80
+ template['template']['settings'] ||= {}
58
81
  end
59
82
 
60
83
  # Template name - if template_name set, use it