This is AI-generated via rsyslog.ai, but I (the maintainer) have reviewed it and it looks plausible. While I maintain rsyslog, I am not deeply involved in Elasticsearch connections. So I may have overlooked something. Still, the text below should hopefully give you some ideas of what to check. I did not verify if the full scheme actually works - I suggest to use the explicit parameters just to be on the safe side.
current doc is here: https://www.rsyslog.com/doc/configuration/modules/omelasticsearch.html HTH Rainer --- regarding your question about whether the port needs to be configured differently for omelasticsearch: the way you configured it is correct. You do NOT need a separate port parameter when you already include the port inside the server URL. A line like: server="https://s00123.example.com:9200"; is fully valid. The omelasticsearch documentation states that the server parameter may include scheme and port. Only if the port is missing does rsyslog fall back to the Serverport parameter. Since you explicitly added :9200 in the URL, nothing more is required. So the port is not the issue. When HTTP works and HTTPS does not, the actual reason is almost always TLS certificate validation. The Elasticsearch 8 endpoint likely uses a certificate signed by a private CA or a CA that rsyslog’s libcurl environment does not trust. Curl may work because it uses a different CA store than rsyslog. Fix options: 1. Install the ES CA certificate into the system trust store and run update-ca-certificates. 2. Or point the omelasticsearch action directly at the CA file using: tls.cacert="/path/to/your-ca.pem" To quickly confirm that TLS verification is the problem, you can temporarily add: skipverifyhost="on" This disables hostname verification and can show whether TLS trust is the blocker. Do not use this in production; it is only for testing. If you still cannot connect, start rsyslog in debug mode (rsyslogd -nd) and send a test message. Any TLS or connection errors will appear immediately. You can send me those TLS-related lines, and I can help interpret them. El mié, 26 nov 2025 a las 18:04, Oskar Stolc via rsyslog (<[email protected]>) escribió: > > Hi, > > two years ago I set up a central syslog server using rsyslog to save logs > from remote servers in separate /var/log/remote/<HOSTNAME>/<HOSTNAME>.log > files. This works fine. > > Recently I was asked to save the same messages in ElasticSeach as ell, so I > installed omelasticsearch and configured it like this: > > > # cat /etc/rsyslog.d/central-syslog-server.conf > module(load="imudp") > module(load="imtcp") > template(name="RemoteLogs" type="list") { > constant(value="/var/log/remote/") > property(name="hostname") > constant(value="/") > property(name="hostname") > constant(value=".log") > } > #ruleset(name="remote") { > # *.* action(type="omfile" DynaFile="RemoteLogs") > #} > > module(load="omelasticsearch") > template(name="syslog-index" type="string" > string="syslog-%$YEAR%.%$MONTH%.%$DAY%") > ruleset(name="remote") { > *.* action(type="omfile" DynaFile="RemoteLogs") > > #*.* action(type="omelasticsearch" server="http://s00124.example.com:9200"; > searchIndex="syslog-index" dynSearchIndex="on") > *.* action(type="omelasticsearch" server="https://s00123.example.com:9200"; > searchIndex="syslog-index" dynSearchIndex="on") > } > input(type="imudp" port="514" ruleset="remote") > input(type="imtcp" port="514" ruleset="remote") > > > > Note: ElasticSearch on s00124.example.com:9200 is v7.17.29 and uses plaintext > HTTP, s00123.example.com:9200 is v8.19.7 and uses SSL encrypted HTTPS. > > Sending logs to plaintext s00124.example.com:9200 works fine > (index-YYYY.MM.DD gets created and new messages appeare in it), but the SSL > encrypted s00123.example.com:9200 does not work, no index gets created. > > I am using rsyslog from Ubuntu 24.04 > > # dpkg -l |grep rsyslog > ii rsyslog 8.2312.0-3ubuntu9.1 amd64 reliable system and > kernel logging daemon > ii rsyslog-elasticsearch 8.2312.0-3ubuntu9.1 amd64 Elasticsearch > output plugin for rsyslog > # lsb_release -r > Release: 24.04 > > I am sure the SSL encrypted ES works fine, I am able to POST a message into > it using curl. > > $ curl -X POST -H "Content-Type: application/json" -d > '{"@timestamp":"2099-11-15T13:12:00","message":"GET /search HTTP/1.1 200 > 1070000","user":{"id":"kimchy"}}' > "https://S00123.example.com:9200/syslog-2025.11.26/_doc/"; > {"_index":"syslog-2025.11.26","_id":"xIX0wJoBgNBZfOQ8v-qd","_version":1,"result":"created","_shards":{"total":2,"successful":2,"failed":0},"_seq_no":0,"_primary_term":1} > > What am I missing? Please help, I am getting desparate... > > Thank you, > Cheers, > Oskar > _______________________________________________ > rsyslog mailing list > https://lists.adiscon.net/mailman/listinfo/rsyslog > http://www.rsyslog.com/professional-services/ > What's up with rsyslog? Follow https://twitter.com/rgerhards > NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of > sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T > LIKE THAT. _______________________________________________ rsyslog mailing list https://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
