Hello,
I'm running into SSL issues when trying to connect to logstash:
2016/05/16 20:44:56.611376 log.go:113: INFO Harvester started for file: /var/log/messages
Here is my filebeat config:
filebeat:
prospectors:
-
paths:
- /var/log/secure
- /var/log/messages
# - /var/log/*.log
input_type: log
document_type: syslog
scan_frequency: 1s
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["logstash.ops.perka.com:12345"]
bulk_max_size: 1024
tls:
certificate_authorities: ["/etc/pki/tls/certs/filebeat/ssl.cert"]
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
Here is my logstash config:
input {
beats {
port => 12345
ssl => true
ssl_certificate => "/etc/pki/tls/certs/filebeat/ssl.cert"
ssl_key => "/etc/pki/tls/certs/filebeat/ssl.key"
}
}
output {
stdout {
}
}
Any input is greatly appreciated.
Does Filebeat connect fine if you add the insecure: true option to your Filebeat tls config?
If so, then you probably have a cert issue. You can check the docs on how to test the certs independently of Filebeat. https://www.elastic.co/guide/en/beats/filebeat/current/configuring-tls-logstash.html
Thank you for your speedy reply!
So, when I remove the tls option from my filebeat config, the connecting error is gone, but I get a new error: Error publishing events
2016/05/17 14:14:53.343347 log.go:113: INFO Harvester started for file: /var/log/messages
filebeat.yml:
input_type: log
document_type: syslog
scan_frequency: 1s
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["logstash.ops.perka.com:12345"]
bulk_max_size: 1024
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
logstash.conf (I've removed the ssl options):
input {
beats {
port => 12345
}
}
output {
stdout {
}
}
When I add it, I get the original error:
2016/05/17 14:56:13.436030 transport.go:125: ERR SSL client failed to connect with: read tcp 192.168.2.102:54658->192.168.2.101:12345: i/o timeout
filebeat.yml:
input_type: log
document_type: syslog
scan_frequency: 1s
registry_file: /var/lib/filebeat/registry
output:
logstash:
hosts: ["logstash.ops.perka.com:12345"]
bulk_max_size: 1024
tls:
insecure: true
shipper:
logging:
files:
rotateeverybytes: 10485760 # = 10MB
Interesting, I was hoping that would allow it to connect which would indicate a certificate issue.
What output do you get if you run the curl test described in the docs from the Filebeat host?
This is the output:
curl -v --cacert /etc/pki/tls/certs/filebeat/ssl.cert logstash.ops.perka.com:12345
GET / HTTP/1.1logstash.ops.perka.com:12345 /
Was that done with SSL enabled on the logstash beats input?
You should run it with the protocol in the URL so that curl knows to use negotiate a TLS connection. Like curl -v --cacert /etc/pki/tls/certs/filebeat/ssl.cert https://logstash.ops.perka.com:12345
Output from that command:
curl -v --cacert /etc/pki/tls/certs/filebeat/ssl.cert https://logstash.ops.perka.com:12345
About to connect() to logstash.ops.perka.com port 12345 (#0 )
Trying 192.168.2.101...
Connected to logstash.ops.perka.com (192.168.2.101) port 12345 (#0 )
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/filebeat/ssl.cert
NSS error -5961 (PR_CONNECT_RESET_ERROR)
TCP connection reset by peer
Closing connection 0
I see.. the handshake doesn't take place
Based on that output and the fact that Filebeat -> Logstash did not work when you completely disabled TLS, it seems like there are some connectivity issues using port 12345.
I was assume that if try to telnet to port 12345 that you get a "connection reset" too.
Check any firewalls you have between the hosts. It could be on the Filebeat host, the network in between, or on the Logstash host.
steffens
May 12, 2017, 11:27am
12
@rohan89 please create your own discussion instead of hijacking a very old one (maybe including docker, kubernetes in title). Please format logs/configs using the </> button. Having to read unformatted YAML is kind of painful.