NSP application log forwarding to Elasticsearch

Description

NSP application log forwarding to a remote Elasticsearch server is disabled by default. To enable NSP application-log forwarding to an Elasticsearch server, you configure the parameters in the nspmodulesloggingforwardingapplicationLogselasticsearch section of the NSP configuration file.

Note: NSP log forwarding to a remote Elasticsearch instance is not supported in Release 23.11 or later, and must be disabled during system deployment before an NSP cluster is initialized.

Activation and security

In order to activate Elasticsearch application-log forwarding, you must copy the required TLS certificate files from the Elasticsearch server to the following location on the NSP deployer host:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/tls/fluent

If mTLS is enabled on the internal NSP interface, the following TLS files are required for the mutual authentication:

  • root CA certificate

  • client certificate

  • client key

If basic TLS is enabled on the internal NSP interface, the root CA certificate file is mandatory, and the client files are optional.

The files transferred to the NSP deployer host must be named as follows:

  • root CA certificate file—ca_cert.pem

  • client certificate file—client_cert.pem

  • client key file—client.key

During initialization, the NSP imports the required TLS certificates to the local trust store.

Trusted certificates

In order to add certificates to the nsp-trust-bundle, you add certificates for secure mail, LDAP, nfmt or other custom certificates to the trusted certificates list.

During or after NSP installation, you can add the LDAP and secure email server trust certificates by configuring the following parameters in the nspdeploymenttlstrustedCertificates section of the NSP configuration file:

/opt/nsp/NSP-CN-DEP-release-ID/NSP-CN-release-ID/config/nsp-config.yml

Example:

nsp:

  deployment:

    tls:

      trustedCertificates: ["/trust-cert-path/ldap-cert.pem", "/trust-cert-path/sec-email-cert.crt"]

Enter the following to apply the certificates on the NSP deployer host:

/opt/nsp/NSP-CN-DEP-release-ID/bin/nspdeployerctl install --config --deploy ↵

When the installation is complete, restart the nspos-keycloak pod.

When the installation is complete, restart the nspos-tomcat pod.