Can't figure out how to use certificates correctly

Hello everyone,

I need help with configuring filebeat on windows with tls.
I created .crt file in my ELK server, and copied it to my windows client. Now I'm trying to configure the filebeat.yml file, I've tried this few configs:

output:
  logstash:
    hosts: [logstash ip address]
    tls:
      certificate_authorities:
        - C:\Program Files\Filebeat\filebeat.crt

output:
  logstash:
    hosts: [logstash ip address]
    tls:
      certificate_authorities:
        - "C:\Program Files\Filebeat\filebeat.crt"

output:
  logstash:
    hosts: [logstash ip address]
    tls:
      certificate_authorities: [C:\Program Files\Filebeat\filebeat.crt]

In all of those configs, when I ran -configtest, I had errors. What's the right way to write these configurations?

thank you!

Those configs appear OK to me. What is the error that -configtest returns?

Check out these TLS troubleshooting resources:

• Why does my SSL client fail to connect to Logstash?
• Using TLS between Beats and Logstash
  

not a windows user myself (just a hunch), but I wonder how these file paths are handled in when parsing the config file. YAML has different types of strings and by default \ is an escape character, if I'm not mistaken. Using single quotes might help:

output:
  logstash:
    hosts: [logstash ip address]
    tls:
      certificate_authorities:
        - 'C:\Program Files\Filebeat\filebeat.crt'

or use \\ whenever you need a backslash

Hi, thank you for your response.

I followed the tests in both the links you sent and everything was correct.
So I decided to go a step back and test if I can output directly to elasticsearch, without TLS. I got the following error in the logs:
"Ping request failed... no connection could be made because the target machine actively refused it."

Do you know why this happens?
Thanks.

This is most often caused by a firewall or anti-virus. It could be on same machine running Filebeat, the network in between, or on the ES server.

You can test the HTTP HEAD request that Filebeat uses independent of Filebeat by running the command given here.

Thanks, I checked for firewalls on both the ES machine and the Filebeat machine, both don't have any firewalls.

I ran the command and my output was an error:
"Unable to connect to the remote server"

is elasticsearch running?

yes, it's running

you have correct port configured? Try to ping and telnet elasticsearch server.

I have ping to the elasticsearch server, and i also can connect to it via putty on port 22, but for some reason i can't telnet to it in port 22 or 9200.
any other suggestions?

if telnet to port 9200 ($ telnet <host-ip> 9200) not working the port doesn't seem to be available from remote. Check with netstat or ss if some process is listening on port 9200 or some firewall (or any other device in between) is blocking the port with whatever rules.

the elastic server is listening on port 9200.
I have no firewall running.

as I don't have physical access to your environment I have a hard time to tell what's going on. You have to figure out why telnet is working for you in the first place. If you can get telnet to function beats should work just fine.

Did you try $ curl http://<elastic-ip>:9200 ?

I tried the following command:
$ curl http://192.168.0.110:9200 from my elastic server, and it didn't work, but when I did $ curl http://localhost:9200 it did work!
I checked with ipconfig to see I didn't make a mistake with the ip address, and it was OK...
From some reason the server can't resolve it's own ip?

EDIT:
I changed the elasticsearch.yml file, configured it to the ip address instead of just 'localhost'. now the curl command works.
I'll try to check the rest of the things that didn't work now.

makes me wonder if server binds to some device/ip only based on config. Never have seen this before.