Connecting Filebeat to Logstash

Samuel_Dare · October 10, 2018, 12:18am

I am new to elasticsearch and following the tutorial here:

I have hit a stumbling block as I can connect the servers with the ELK stack configured with the the server that is logging activity to file beat.

I have narrowed it down to an issue with the SSL certificates copied from the ELK server as when i check /var/log/messages I get the following error:

usr/bin/filebeat[13730]: transport.go:125: SSL client failed to connect with: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "serial:16193853809450343771")

How ever, the keys have been copied over and these files are the same on both servers :

cat /etc/pki/tls/certs/logstash-forwarder.crt

When I try to read the syslogs, I get this:

sudo tail /var/log/syslog | grep filebeat:

tail: cannot open ‘/var/log/syslog’ for reading: No such file or directory.

I will appreciate any pointers on this

Mario_Castro · October 11, 2018, 10:57am

Hi @Samuel_Dare

I don't have an answer for you right now but I'd suggest you to paste you configuration and check the versions you're using in your machine. I mean logstash and filebeat version but also the version of the module you're using.

We have seen many issues regarding "old" versions that are shipped by default in Centos so it could be some issue that it's already solved or using a newer version of filebeat or of the service you're fetching (say apache or whatever)

Best regards

system · November 8, 2018, 11:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.