Gray Log with Existing OpenSearch

New to Graylog Community? READ-ME FIRST Guides
1

Hi Everyone,
I am new to Graylog. I have installed OpenSearch, and it is working. Currently, I have configured the Elastic Flow to send the flow data to OpenSearch, and the OpenSearch Dashboard is able to display the Data.
I was planning to configure Graylog to get logs from the Same firewall, but my installation has an issue.
I get the following error in the log and I am unable to load the web console.
2023-07-21T22:53:57.298Z ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2023-07-21T22:53:57.299Z INFO [VersionProbe] Elasticsearch is not available. Retry #306
2023-07-21T22:54:02.315Z ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.
2023-07-21T22:54:02.315Z INFO [VersionProbe] Elasticsearch is not available. Retry #307

Opensearch is working and has no issues.
curl -XGET https://192.168.49.91:9200 -u admin:admin --insecure
{

  • “name” : “OSH01”,*
  • “cluster_name” : “opensearch”,*
  • “cluster_uuid” : “*****”,*
  • “version” : {*
  • “distribution” : “opensearch”,*
  • “number” : “2.8.0”,*
  • “build_type” : “deb”,*
  • “build_hash” : "**",
  • “build_date” : “**”,*
  • “build_snapshot” : false,*
  • “lucene_version” : “9.6.0”,*
  • “minimum_wire_compatibility_version” : “7.10.0”,*
  • “minimum_index_compatibility_version” : “7.0.0”*
  • },*
  • “tagline” : “The OpenSearch Project: https://opensearch.org/”*

~$ curl -XGET https://192.168.49.91:9200/_cat/nodes?v -u admin:admin --insecure
ip heap.percent ram.percent cpu load_1m load_5m load_15m node.role node.roles cluster_manager name
192.168.49.91 56 96 2 0.10 0.18 0.15 dimr cluster_manager,data,ingest,remote_cluster_client * OSH01

~$ curl -XGET https://192.168.49.91:9200/_cat/indices?v -u admin:admin --insecure
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .opensearch-observability trRv1mT8R-G-FbwqHnqo0g 1 0 0 0 208b 208b
green open elastiflow-flow-ecs-8.0-2.2-2023.07.21 wOTjECbUSNC9oF-Nkpj6yA 1 0 12254990 0 4.4gb 4.4gb
green open .kibana_92668751_admin_1 GxAoXKWFQcexCmazbK7LNQ 1 0 1291 0 394.7kb 394.7kb
yellow open security-auditlog-2023.07.22 TOOLuWS3RG-_QnWqBVJnoQ 1 1 695 0 1.4mb 1.4mb
yellow open security-auditlog-2023.07.21 c-zNVmttR7uuqrtR0F6IeA 1 1 1451 0 2.8mb 2.8mb
green open elastiflow-flow-ecs-8.0-2.2-2023.07.22 IeoqGfDlRaSiQk9djaJSxw 1 0 800927 0 355.3mb 355.3mb
green open .opendistro_security GY-bB775S1u_ErGQ_EeFfA 1 0 10 0 75.4kb 75.4kb
green open .kibana_1 S5MWlIeaT2-cfifycRlnUA 1 0 1291 0 394.7kb 394.7kb
vsrsadmin@PFTEST:~$

any guidance on how I can connect the graylog to the OpenSearch?

2

Hi, @rohanrajnv.

FIrst, you don’t want to send logs directly into Opensearch. You want a fresh install of Opensearch and allow Graylog to collect and transfer all messages to Opensearch, as well as manage the retention and rotation for Opensearch indices.

The message you are seeing seems to indicate it’s looking for certificate information. I see the https in the URL, but don’t see that you’ve configured Graylog to use TLS.

2023-07-21T22:54:02.315Z ERROR [VersionProbe] Unable to retrieve version from Elasticsearch node: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. - unable to find valid certification path to requested target.

I also noticed these messages:

2023-07-21T22:53:57.299Z INFO [VersionProbe] Elasticsearch is not available. Retry #306
2023-07-21T22:54:02.315Z INFO [VersionProbe] Elasticsearch is not available. Retry #307

Graylog can’t see Opensearch. Did you list the opensearch node in the Graylog server.conf file?

3

Is there anyway I can setup Graylog to not verify the certificate just like ElasticFlow?

4

Not that I know of. If you don’t want to validate the certificate, just turn off TLS and use straight HTTP. As long as you are on the internal network, the risk should be small. You could mitigate even that risk with aggressive segmentation and ACLs.

1 Like
5

Thank you for your support. i managed to create a certificate.