Error in Filebeat logs

netnal · August 26, 2022, 8:40pm

Hello,
I am trying to ship logs from windows machine to logz.io using Filebeat 8.2 and Filebeat 7.17(for windows). But I see the below error.
Failed to connect to backoff(tcp://listener-ca.logz.io:5015)): tls: downgrade attempt detected, possibly due to a MitM attack or a broken middlebox","service.name":"filebeat"

This is the output configuration

logging.level: debug
logging. to
Files: true
logging-files:
path: C:\ProgranData \Filebeat \logs
name :
filebeat
keepfiles:
permissions: 0644
output:
logstash:
hosts: ["listener-ca.logz.io:5015"]
ssl:
#
verification mode; certificate

Could someone help with this?

stephenb · August 27, 2022, 12:42am

Hi @netnal Welcome to the community.

1st) That is not a filebeat.yml file so we can't really debug it I am not sure what you are showing.

2nd) There seems to be an SSL / Cert / TLS issue that is most likely on the "listener-ca.logz.io:5015" side or something in between like a proxy.

3rd) This is the elastic forum not Logz.io so we may or may not be able to help.

netnal · August 27, 2022, 1:53am

This is the filebeat.yml

##############Filebeat#############
filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - E:/*.log
    fields:
      logzio_codec: plain
      token:  xxxxxxxxxxxxxx
      type: json
    fields_under_root: true
    encoding: utf-8
    
*For version 7 and higher
filebeat.registry.path: 'C:\ProgramData\Filebeat'

#The following processors are to ensure compatibility with version 7
processors:
  - rename:
      fields:
        - from: "agent"
          to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
        - from: "log.file.path"
          to: "source"
      ignore_missing: true
      
############### Output ##############

logging.level: debug
logging.to_files: true
logging.files:
  path: C:\ProgramData\Filebeat\logs
  name: filebeat
  keepfiles: 7
  permissions: 0644
  
output:
  logstash:
    hosts: ["listener-ca.logz.io:5015"]
    ssl:
      verification mode: certificate
# certificate authorities: ['C:\ ProgramData\Filebeat\Logzioroot.crt']

There is a logzio certificate present in the system, that is why the last line is commented out.

stephenb · August 27, 2022, 2:36am

And you are still getting the same Error?

That is invalid syntax I am unclear why filebeat is even starting

   ssl:
      verification mode: certificate

correct

   ssl:
      verification_mode: certificate

Note the _ spaces in key name are invalid

You can also try

   ssl:
      verification_mode: none

Which is not secure... but may help debug..

Also if there are other log lines that could help debug...

I am not clear what you mean by that.

netnal · August 29, 2022, 4:15pm

Yes I have tried with both, yet I see the same error

ssl:
    verification_mode: certificate

and

ssl:
    verification_mode: none

This is the debug mode logs

{"log.level": "error", "@timestamp": "2022-08-25T17:08:37.7867", "log. logger": "publisher pipeline outp
ut", "log.origin": ("file.name": "pipeline/client worker.go", "file.line":150}, "message": "Failed to
connect to backoff (async (tcp://listener-ca-logz. i0:5015)): t1s: downgrade attempt detected,
possibly due to a MitM attack or a broken
middlebox", "service.name": "filebeat", "ecs-version": "1.6. 0"}
["log.level": "info", "@timestamp": "2022-08-25T17:08:37.7862", "log.logger": "publisher pipeline outpu
t", "log. origin": ("file.name": "pipeline/client worker.go", "file.line":141}, "message": "Attempting
to reconnect to backoff (async (tcp://listener-ca.logz. i0:5015)) with 2 reconnect
attempt (s) ", "service.name": "filebeat", "ecs.version":"1.6.0"}
("log. level": "debug", "@timestamp": "2022-08-25717:08:37.7862", "log. logger": "logstash", "log.origin":
{"file.name": "logstash/async.go", "file.line": 120), "message": "connect", "service.name"; "filebeat", "e
Es. version": "1.6.01}
("log.level": "debug", "@timestamp": "2022-08-25T17:08:40.1772", "log.logger": "input.harvester", "log.o
rigin": ("file.name": "log/log.go", "file.line":111), "message": "End of file reached:
E: \\logs; Backoff
now.", "service, name": "filebeat", "input id": "62573012-c959-4a9c-95ba-3Fde8a7959dd", "source File": "E
:\\logs", "state id": "native: :327680-53-4035249832", "finished": false, "os id": "327680-53-40
35249832", "old source": "E: \\logs", "old finished":true, "old os
id": "327680-53-4035249832"
"harvester id"="126c5800-32d0-45ac-6343-6¢710a613a67", "ecs.version":"1.6.0"]
("log. level": "debug", "@timestamp":"2022-08-25T17:08:437.0052", "log. logger": "input", "log.origin": ['f
ile.name"; "input/input.go", "file.line":137}, "message": "Run
input", "service.name": "filebeat"
"ecs.version":"1.6.0"}
{"log.level": "debug", "@timestamp": "2022-08-25T17:08:43.005z", "log.logger": "input", "log. origin": ("f
ile.name": "log/input. go", "file.line":222], "message": "Start next
scan", "service.name": "filebeat", "input id": "62573012-c959-4a9c-95ba-3fde8a7959dd", "ecs.version":"I
- 6. 0"}
{"log.level": "debug", "@timestamp": "2022-08-25T17:08:43.0052", "log.logger": "input", "log.origin": ("f
ile.name": "log/input.go", "file.line":472), "message": "Check file for harvesting:
E:\\logs", "service.name": "filebeat", "input id":"62573012-c959-4a9c-95ba-3fde8a7959dd", "ec
s.version":"1.6.0"}
{"log. level": "debug", "@timestamp":"2022-08-25T17:08:43.005", "log. logger": "input", "log.origin": ("F
ile.name"; "log/input.go", "file-line":570}, "message": "Update
existing file for harvesting:
E: \\logs, offset:
163880", "service.name": "filebeat", "input id": "62573012-c959-4a9c-95ba-3de8a7959dd", "source file"
"E:\\logs", "state id": "native::327680-53-4035249832", "finished": false, "os id': "327680-53
4035249832", "old source": "E: \\logs", "old finished": false, "old os id": "327680-53-403524983
2"
"ecs.version":"1.6.0"]

The system has the logzio certificate installed already and it doesn't use the public cert of logzio from the last line of the code.

stephenb · August 29, 2022, 4:16pm

I think you are going to need to reach out to logz.io support... it seems that the issue is on that side SSL.

The only other thing I see is that is not a valid host:port it has a space in it and that is i0 not io

elnine_motion · September 1, 2022, 12:59pm

Just saw that you have entered path: "C:\ProgranData \Filebeat \logs" instead of "path: C:\ProgramData \Filebeat \logs" Could be the reason why it starts but the logging doesn't work.

netnal · September 1, 2022, 8:15pm

Sorry for the typing mistake, this is the original configuration file.

############################# Filebeat #####################################

filebeat.inputs:
  - type: log
    enabled: true
    paths:
      - E:/*.log
    fields:
      logzio_codec: plain
      token: 
      type: json
    fields_under_root: true
    encoding: utf-8

#For version 7 and higher
filebeat.registry.path: 'C:\ProgramData\Filebeat'

#The following processors are to ensure compatibility with version 7
processors:
  - rename:
      fields:
        - from: "agent"
          to: "beat_agent"
      ignore_missing: true
  - rename:
      fields:
        - from: "log.file.path"
          to: "source"
      ignore_missing: true

############################# Output ##########################################

logging.level: debug
logging.to_files: true
logging.files:
  path: C:\ProgramData\Filebeat\logs
  name: filebeat
  keepfiles: 7
  permissions: 0644

output:
  logstash:
    hosts: ["listener-ca.logz.io:5015"]
    ssl:
      verification_mode: certificate
#      certificate_authorities: ['C:\ProgramData\Filebeat\Logzioroot.crt']

stephenb · September 1, 2022, 8:46pm

And what are the filebeat logs now?.....

and what happens of you take this out

    ssl:
      verification_mode: certificate

system · September 29, 2022, 10:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.