Logstash 8.8.0 may fail to start when SSL/TLS is enabled in monitoring and/or central management, due to a change introduced in version 11.14.0 of the logstash-output-elasticsearch plugin. When impacted by this issue, Logstash fails to start and logs an error similar to the following:
[logstash.licensechecker.licensereader] Failed to perform request {:message=>"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target", :exception=>Manticore::ClientProtocolException, :cause=>#<Java::JavaxNetSsl::SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target>}
Resolution
A successful Elasticsearch output plugin update to version 11.15.8
or higher will
resolve this issue:
bin/logstash-plugin update logstash-output-elasticsearch
OR
Specify the ca_trusted_fingerprint
setting in the logstash.yml
.
The certificate fingerprint can be extract with:
cat your_ca.cert | openssl x509 -outform der | sha256sum | awk '{print $1}'
Then set the following on logstash.yml
using the output from the previous command:
xpack.monitoring.elasticsearch.ssl.ca_trusted_fingerprint: "<value>" xpack.management.elasticsearch.ssl.ca_trusted_fingerprint: "<value>"
- Fix a race condition that prevents Logstash from updating a pipeline’s configuration with in-flight events experiencing connection errors. #14739 This issue primarily manifests following the update of Elasticsearch credentials through Central Management, after credentials expired while events were in-flight. It causes the Elasticsearch Output to get stuck attempting to send events with the expired credentials instead of using the updated ones. To address this problem, Logstash has improved the pipeline shutdown phase functionality to allow an output plugin to request the termination of the in-flight batch of events; hence preventing the need for administrators to manually restart Logstash. Furthermore, when used in combination with a persistent queue to prevent data loss, the batch is eligible for reprocessing on pipeline restart. Plugin developers can now decide whether to make use of such functionality on output plugins. #14940
- Updates Bundler to version 2.4 #14995
Elasticsearch Filter - 3.15.0
Memcached Filter - 1.2.0
- Upgrade Dalli to 3.x #33
Beats Input - 6.6.0
- Standardize SSL settings to comply with Logstash’s naming convention #470
Elasticsearch Input - 4.17.0
- Standardize SSL settings to comply with Logstash’s naming convention #185
Http Input - 3.7.0
- Standardize SSL settings to comply with Logstash’s naming convention #165
Kafka Integration - 11.2.1
- Fix nil exception to empty headers of record during event metadata assignment #140
- Added TLS truststore and keystore settings specifically to access the schema registry #137
-
Added config
group_instance_id
to use the Kafka’s consumer static membership feature #135 - Changed Kafka client to 3.3.1, requires Logstash >= 8.3.0.
-
Deprecated
default
value for settingclient_dns_lookup
forcing touse_all_dns_ips
when explicitly used #130 - Changed the consumer’s poll from using the one that blocks on metadata retrieval to the one that doesn’t #136
Normalize_config_support Mixin - 1.0.0
Elasticsearch Output - 11.15.1