Hey,
Ok I see now. I have done that with Open-distro for elasticsearch (i.e. OpenSearch)
Once you get the cert’s and keystore completed you should be good.
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 10.10.10.10
http.port: 9200
action.auto_create_index: true
opendistro_security.ssl.transport.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.transport.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.transport.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.ssl.transport.enforce_hostname_verification: false
opendistro_security.ssl.http.enabled: true
opendistro_security.ssl.http.pemcert_filepath: /etc/elasticsearch/admin.pem
opendistro_security.ssl.http.pemkey_filepath: /etc/elasticsearch/admin-key.pem
opendistro_security.ssl.http.pemtrustedcas_filepath: /etc/elasticsearch/root-ca.pem
opendistro_security.allow_unsafe_democertificates: false
opendistro_security.allow_default_init_securityindex: false
opendistro_security.authcz.admin_dn:
- 'CN=elastic-stack.domain.com,OU=admin,O=enseva,L=cedar rapids,ST=iowa,C=us'
opendistro_security.audit.type: internal_elasticsearch
opendistro_security.enable_snapshot_restore_privilege: true
opendistro_security.check_snapshot_restore_write_privileges: true
opendistro_security.restapi.roles_enabled: ["all_access", "security_rest_api_access"]
opendistro_security.system_indices.enabled: true
opendistro_security.system_indices.indices: [".opendistro-alerting-config", ".opendistro-alerting-alert*", ".opendistro-anomaly-results*", ".opendistro-anomaly-detector*", ".opendistro-anomaly-checkpoints", ".opendistro-anomaly-detection-state", ".opendistro-reports-*", ".opendistro-notifications-*", ".opendistro-notebooks", ".opendistro-asynchronous-search-response*"]
cluster.routing.allocation.disk.threshold_enabled: false
node.max_local_storage_nodes: 3
Yes, that is the connection between Graylog and elasticsearch/opensearch
Like I said…
I have other applications that need to connect to Elasticsearch node. if you using multiple nodes with https ensure Graylog can read the certificates and can access the keystore.
As for your configuration with HTTPS in Graylog configuration file
# List of Elasticsearch hosts Graylog should connect to.
# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
# requires authentication.
#
# Default: http://127.0.0.1:9200
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
I have secured the ES cluster but as for Graylog connection over the network to ES I have used user/password not HTTPS yet