Serilog + serilog-sinks-elasticsearch +ElasticSearch Auth

Question

I am far from being a Dev with any .net experience, but the dev team at work would like to use Serilog along with serilog-sinks-elasticsearch to push logs into my ELK stack.

Looking at the config for serilog-sinks-elasticsearch, there doesn't seem to be any way to send the creds require to write to the ElasticSearch Cluster.

Is this just a dumb ops person question or have I just missed the config somewhere?

Thanks

score 37 · Accepted Answer · answered Feb 17 '20 at 18:05

I struggled to find a good solution for this too. Adding the username/password to the url definitely does work but somehow doesnt feel right.

This worked for me:

.WriteTo.Elasticsearch(new ElasticsearchSinkOptions(new Uri("https://your-deployment.westeurope.azure.elastic-cloud.com:9243"))
{
  ...,
  ModifyConnectionSettings = x => x.BasicAuthentication("elastic", "your-password"),
})

score 10 · Answer 2 · answered Sep 13 '16 at 02:51

10

Good question....

You might try supplying them as part of the Elasticsearch server/stack URL.

Example:

.WriteTo.Sink(new ElasticsearchSink(new ElasticsearchSinkOptions(new Uri(url))
{
    AutoRegisterTemplate = true
}

where

url = "https://user:password@stack-server:port"

answered Sep 13 '16 at 02:51

programmerj

1,634
18
29

It looks like specifying credentials in URL works for a single node only. If credentials are specified for several nodes divided by ; or , logging stops working. Tried in .Net Core 3.1. Settings in appsettings.json – MikhailSP Jan 18 '21 at 12:29

score 8 · Answer 3 · edited Apr 01 '21 at 13:05

8

If you want to stick with your configuration file (appsettings.json), knowing that you can use the argument connectionGlobalHeaders to specify the login/password, because Elasticsearch use Basic Authentication to authenticate the user.

Something like this:

"Serilog": {
    "WriteTo": [
      {
        "Name": "Elasticsearch",
        "Args": {
          "nodeUris": "https://your-uri",
          "connectionGlobalHeaders": "Authorization=Basic dXNlcm5hbWU6cGFzc3dvcmQ=",
          "indexFormat": "application-log-{0:yyyy.MM}",
          "autoRegisterTemplate": true,
          "autoRegisterTemplateVersion": "ESv7"
        }
      }
    ]
  }

where the part after "Authorization=Basic" is the Base64 string of your "login:password".

edited Apr 01 '21 at 13:05

Dharman

30,962
25
85
135

answered Apr 01 '21 at 12:59

Marimout

205
4
8

for the login:password Base64 string. Do I convert it exactly like that? "user134:pass432" or is it "user134pass432"? – Thusoluminati Al-Zawahiri Khar May 05 '21 at 13:01
2

It is with the colon in the middle, i.e. "user134:pass432". – Marimout May 05 '21 at 21:12

score 0 · Answer 4 · answered Aug 13 '22 at 19:05

0

If Serilog doesn't sends data to your log server make sure that the version of elastic is compatible with the sink, It took me hours to figure that out :)

answered Aug 13 '22 at 19:05

mahdignb

1
1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Aug 17 '22 at 12:38

Serilog + serilog-sinks-elasticsearch +ElasticSearch Auth

4 Answers4