[rsyslog] omelasticsearch won't send logs to HTTPS ElasticSearch. Plaintext HTTP ElasticSearch works

Wed, 26 Nov 2025 09:04:30 -0800 

Hi,

two years ago I set up a central syslog server using rsyslog to save logs from 
remote servers in separate /var/log/remote/<HOSTNAME>/<HOSTNAME>.log files. 
This works fine.

Recently I was asked to save the same messages in ElasticSeach as ell, so I 
installed omelasticsearch and configured it like this:


# cat /etc/rsyslog.d/central-syslog-server.conf
module(load="imudp")
module(load="imtcp")
template(name="RemoteLogs" type="list") {
    constant(value="/var/log/remote/")
    property(name="hostname")
    constant(value="/")
    property(name="hostname")
    constant(value=".log")
}
#ruleset(name="remote") {
#     *.*   action(type="omfile" DynaFile="RemoteLogs")
#}

module(load="omelasticsearch")
template(name="syslog-index" type="string" 
string="syslog-%$YEAR%.%$MONTH%.%$DAY%")
ruleset(name="remote") {
      *.*   action(type="omfile" DynaFile="RemoteLogs")

      #*.*  action(type="omelasticsearch" 
server="http://s00124.example.com:9200"; searchIndex="syslog-index" 
dynSearchIndex="on")
      *.*   action(type="omelasticsearch" 
server="https://s00123.example.com:9200"; searchIndex="syslog-index" 
dynSearchIndex="on")
}
input(type="imudp" port="514" ruleset="remote")
input(type="imtcp" port="514" ruleset="remote")



Note: ElasticSearch on s00124.example.com:9200 is v7.17.29 and uses plaintext 
HTTP, s00123.example.com:9200 is v8.19.7 and uses SSL encrypted HTTPS.

Sending logs to plaintext s00124.example.com:9200 works fine (index-YYYY.MM.DD 
gets created and new messages appeare in it), but the SSL encrypted 
s00123.example.com:9200 does not work, no index gets created.

I am using rsyslog from Ubuntu 24.04

# dpkg -l |grep rsyslog
ii  rsyslog                 8.2312.0-3ubuntu9.1   amd64   reliable system and 
kernel logging daemon
ii  rsyslog-elasticsearch   8.2312.0-3ubuntu9.1   amd64   Elasticsearch output 
plugin for rsyslog
# lsb_release -r
Release:    24.04

I am sure the SSL encrypted ES works fine, I am able to POST a message into it 
using curl.

$ curl -X POST -H "Content-Type: application/json" -d 
'{"@timestamp":"2099-11-15T13:12:00","message":"GET /search HTTP/1.1 200 
1070000","user":{"id":"kimchy"}}' 
"https://S00123.example.com:9200/syslog-2025.11.26/_doc/";
{"_index":"syslog-2025.11.26","_id":"xIX0wJoBgNBZfOQ8v-qd","_version":1,"result":"created","_shards":{"total":2,"successful":2,"failed":0},"_seq_no":0,"_primary_term":1}

What am I missing? Please help, I am getting desparate...

Thank you,
Cheers,
Oskar
_______________________________________________
rsyslog mailing list
https://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to