Certificate Error in File Beat connecting to Logstash

Elastic Stack Beats
1

We are running a proof of concept on our network to establish whether we can configure filebeat (installed on Windows 2012) to connect to Logstash (on RHEL). unfortunately we are getting a certificate error when we attempt to start beats:

ERR SSL client failed to connect with: x509: certificate is valid for 10.123.52.154, not 10.123.52.154

Where 10.123.52.154 is the IP of our server. The certificate has been set-up using this IP - the Linux server is not discoverable using the FQDN as it is part of a lab deployment (which does not add DNS records).

This same configuration worked with the logstash-forwarder from Windows to RHEL. Any suggestions what could cause this?

2

Uhm, that's weird. I assume it is the same certificate you've used with logstash-forwarder?

Which command have you used to generate the certificate?

Can you show filebeat and logstash-forwarder config? Also the logstash input sections.

3

We used the following command to create the cert (on the linux node):

sudo openssl req -config /etc/pki/tls/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/filebeat.key -out certs/filebeat.crt

It is a new certificate for filebeat, but we can use the old cert and get the same issue. Below are the files as provided to me by my team.

Logstash-forwarder.json:

{
"network": {
"servers": [ "10.123.52.154:1514" ],
"timeout": 30,
"ssl ca": "C:/Logstash/logstash-forwarder.crt"
},
"files": [
{
"paths": [ "C:\Windows\System32\LogFiles" ],
"fields": { "type": "syslog" }
}
]
}

Filebeat config (on Windows):

filebeat:
  # List of prospectors to fetch data.
  prospectors:
    # Each - is a prospector. Below are the prospector specific configurations
    -
      paths:
         - c:\programdata\filebeat\Logs\*
      fields:
        type: syslog

      input_type: log
  registry_file: "C:/ProgramData/filebeat/registry"

############################# Output ##########################################

output:
  logstash:
    # The Logstash hosts
    hosts: ["10.123.52.154:1514"]
    tls:
      certificate: "C:/Abee/filebeat.crt"
      certificate_key: "C:/Abee/filebeat.key"

############################# Logging #########################################

# There are three options for the log ouput: syslog, file, stderr.
# Under Windos systems, the log files are per default sent to the file output,
# under all other system per default to syslog.
logging:=
  to_files: true
  files:
    name: mybeat
    rotateeverybytes: 10485760 # = 10MB

Logstash input section:

input {
lumberjack {
port => 1514
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
type => "lumberjack"
}

file {
path => "/tmp/test.log"
type => "test"
}

heartbeat {
interval => 10
type => "heartbeat"
}
}

Update....
Logstash config input section now:

input {
beats {
port => "1514"
ssl => true
ssl_certificate => "/etc/pki/tls/certs/filebeat.crt"
ssl_key => "/etc/pki/tls/private/filebeat.key"

}
file {
path => "/tmp/test.log"
type => "test"
}
heartbeat {
interval => 10
type => "heartbeat"
}
}

4

looks like a misconfigured logstash output. The certificate and certificate_key options are required for client authentication (which is not yet supported by logstash plugin).

try:

output:
  logstash:
    hosts: ["19.123.52.154:1514"]
    tls:
      certificate_authorities:
        - C:/Abee/filebeat.crt

In filebeat you can add multiple certificates for validation, that's why the list.