it doesn't sound like an ssl/tls issue as the error message would mention it. Are there any firewall, iptables rules blocking it from accessing LS. Can you telnet from the filebeat host to the LS host on port 5044? you can use curl to test ssl connection to logstash to see if its working? curl -v --cacert ca.crt https://myLShost:5044
if you can't telnet to the host:port and logstash is running/listening on that port, check the iptables on the logstash host. Check the messages log to see if there is any message about connection being blocked. Use netstat on the logstash host to make sure the logstash java process is listening on port 5044. If you can't reach the host and port via telnet, there is something blocking it. You need to see what is blocking connection from reaching your logstash host on that port. You may need to use tcpdump/wireshark to help troubleshoot the network connectivity issue if its not something as simple as iptables rules blocking that port or iptables rules not open for that port.
Using netstat -atn I can see that 5044 is not listening and this is odd because I haven't changed it or the security on the serve. Just incase I put selinux in permissive mode just, rebooted and stopped IPtables (this is not a live system) but no joy. I'm wondering if the issue is with some corruption in Logstash?
Will update once I find the cause but SSL error match on something that I have been trying to do that the configtest has passed but your suggestion highlighted.
Update: blocked
All config cut down to minimum, local security checked, 5044 not listed in listening mode (as root).
Changed my logstash input file from beats to tcp for 5044 and a connection is accepted. Change it back to beats and refused.
Updated logstash and beats plugin, reboot and still nothing. Wondering if the beat component on my ELK stack is the issue?? Mystery continues...
Let take a step back. First lets get logstash listening on 5044 using beats with no certs. So set the logstash conf.d for beats to something like this:
01-filebeat-input.conf:
input {
beats {
port => 5044
}
}
start logstash. Check to see if logstash is listening on 5044 for beats input without ssl. if that doesn't work, then i would consider reinstalling the logstash plugins or reinstalling the logstash package.
I had this exact same error! The SSL client failed to connect is actually rather misleading. at least in my case it was down to the indentation of the yml on the outbound beat, i.e. the node that I was shipping logs from.... I know this sounds crazy, but it was true, had me baffled for ages.... try using this on the node that you are trying to send logs from! See below:
Thanks Luka and Michael, both suggestions tried but not yet fixed. I could be suffering from yaml nitrate!! As you have found Luka so many issues caused by indents but not today.
So I'm going to try reinstalling Logstash will keep you posted.
ps. If anyone knows a good yaml editor that can sit with assoicated app demanding the use of yaml please let me know.
UPDATE: After reinstalling Logstash I was able to connect to 5044. I also reissued the TLS cert which caused problems by the introduction of a single "+" character at the beginning of my domain name. I noticed this when loading onto a client to check. I suppose the answer to full deployment is centralise through a CA, especially for Beating Windows clients. At least I know a lot more about Logstash that I used to.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.