SSL/TLS Support?

[maikelnight]

I try to get i working with ssl but fail.

Without ssl (works if mongodb server is set to "allowSSL", what means that the output do not use ssl!):

output {
if [type] == "mytype" {
mongodb {
uri => "mongodb://myserver/"
database => "mydatabase"
collection => "mycollection"
id => "myid"
}
}
}

What i tried....
With ssl (mongodb server is set to "requireSSL", what means no ssl no data....):

output {
if [type] == "mytype" {
mongodb {
uri => "mongodb://myserver/mydatabase?ssl=true"
database => "mydatabase"
collection => "mycollection"
id => "myid"
}
}
}

That doesnt work and in mongodb log i see that the server tells "requires ssl".

[YakobovLior]

Any updates regarding this?
This is very important as many managed service (for example AWS DocumentDB) supports only SSL connections.

Thanks in advance

[wjjpt]

Hi, I have same issue. The problem is located in logstash-output-mongodb.gemspec:

s.add_runtime_dependency 'mongo', '~> 2.0.6'

mongo ruby gem version 2.0.6 is too old and does not support ssl and tls options (only ssl=boolean). You need at least 2.4 or greater. Last version (2.8.0) has almost ssl/tls options. For example:

https://jira.mongodb.org/browse/RUBY-1608
https://github.com/mongodb/mongo-ruby-driver/releases/tag/v2.7.0.rc0

This is support for tls verifications in 2.7.0

[wjjpt]

HI, look this PR:

#52

[wjjpt]

Hi, I was able to execute logstash with latest ruby driver 2.7.2 against AWS documentdb using "?ssl=true&tlsInsecure=true" options. Use #52 for it.

[YakobovLior]

Hey @wjjpt, thank you for the assistance, but I didn't understand how PR #52 is related to this issue.
Can you please provide the modifications you have made to the regular logstash-output-mongodb plugin in order to make it work against AWS DocumentDB?

Thanks in advance,
Lior

[wjjpt]

Hi @YakobovLior , The ssl issue is solved with latest ruby driver version for mongodb, and it allows to me to connect to docdb (mongodb version 3.6.0). In particular I use "ssl=true&tlsInsecure=true". I've used PR #52 and applied it to master, modified file logstash-output-mongodb.gemspec to use 2.7.2 version and execute gem build logstash-output-mongodb.gemspec to get my own logstash-output-mongodb-3.1.5.gem, then install it as local plugin:

logstash-plugin install /path/to/logstash-output-mongodb-3.1.5.gem

In particular, I use docker version, Dockerfile:

FROM docker.elastic.co/logstash/logstash:7.0.0

COPY logstash-output-mongodb-3.1.5.gem /tmp/
RUN bin/logstash-plugin install /tmp/logstash-output-mongodb-3.1.5.gem

then:

docker build -t wjjpt/logstash-output-mongodb .

and

docker run --rm -it --env XPACK_MONITORING_ENABLED="false" -v ~/pipeline/:/usr/share/logstash/pipeline/ -p 5000:5000 wjjpt/logstash-output-mongodb

With a pipeline like follows:

input {
	beats {
		codec => json
		port => 5000
		ssl => true
		ssl_certificate => "/usr/share/logstash/pipeline/ssl/lumberjack.cert"
		ssl_key => "/usr/share/logstash/pipeline/ssl/lumberjack.key"
	}
}
filter {}
output {
	mongodb{
		bulk => true
		collection => "mycollection"
		database => "test"
		uri => "mongodb://user:<password>@user-docdb.cluster-xxxxxx.eu-west-1.docdb.amazonaws.com:27017/test?ssl=true&tlsInsecure=true"
	}
}

That's all

[YakobovLior]

Hey @wjjpt, many thanks for the detailed answer, much appriciated!
As I see in #52, official logstash-output-mongodb plugin has upgraded to 3.1.6 which now includes mongodb gem 2.6, so I've upgraded the official plugin and used it.

Thanks again,
Lior