Cannot configure secure connection Firebeat->Logstash

Marcin_Pawlikowski · March 6, 2017, 3:21pm

Hi,

After configuration I run Firebug and Logstash but the Graylog weren't recivied any data .
I can`t see any ununsual logs in logstash log file , only standard inforamtion like belows .

[2017-03-06T15:36:50,447][INFO ][logstash.inputs.beats    ] Beats inputs: Starting input listener {:address=>"0.0.0.0:5566"}
[2017-03-06T15:36:50,512][INFO ][logstash.pipeline        ] Pipeline main started
[2017-03-06T15:36:50,779][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

The data from Filebeat appear in port where logstash listening (checked with tcpdump) but not appear in destination port (sniffed with tcpdump using tcpdump dst on server with logstash).

Here my configuration :

Filebeat:

filebeat.prospectors:
- input_type: log
  paths:
    - /var/log/SIEM/client_list.log

multiline.pattern: '^.*: ABC ([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2}).*checked.*$'
multiline.negate: false
#multiline.match: after
#----------------------------- Logstash output --------------------------------
output.logstash:
  hosts: ["192.168.2.180:5566"]
  tls:
    ssl.certificate_authorities: ["/opt/filebeat/certs/server.crt"]

and Logstash

input { beats {
     type => beats
     port => 5566
     ssl => true
     ssl_certificate => "/etc/logstash/certs/test/server.crt"
     ssl_key => "/etc/logstash/certs/test/server.key"
   } }
output {
  gelf { host => "192.168.2.89"
         port => "11013" }}

I used below command (https://discuss.elastic.co/t/how-to-set-the-tls-part-in-the-filebeat-yml-alway-wrong/67070/3) for certs:
openssl req -subj '/C=CN/ST=guangdong/L=shenzhen/O=litianbl/OU=gamecenter/CN=192.168.147.128/' -x509 -days 36500 -batch -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Before that configuration I try one with CA , unfortunetly without good result.
Then I had this error:

[2017-03-06T15:08:59,768][ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/certs/new/api.siem2.local.key}

Everything works fine without SSL configuration.

Logstash version: 5.2.2

Any idea how I can solve this problem and make my connection secure?

Thanks for helps,
Martin

system · April 3, 2017, 3:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.