Filebeat Client TLS connection failed to ELK Host


(Howard) #1

Target is to use Filebeat Client uses TLS connection failed to ELK Host

telnet shows work as following.

telnet 209.xx.173.45 5044

Trying 209.xx.173.45...
Connected to 209.97.173.45.
Escape character is '^]'.


Certification is there

/etc/pki/tls/certs/logstash-forwarder.crt

My filebeat.yml

filebeat:
prospectors:
-
paths:
- /var/log/auth.log
- /var/log/syslog
input_type: log
document_type: syslog
registry_file: /var/lib/filebeat/registry

output:
logstash:
enabled: true
hosts: ["209.97.173.45:5044"]
bulk_max_size: 1024
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

after start. then I check
sudo systemctl status filebeat
Error message as following:

Jun 18 14:06:03 Client05 /usr/bin/filebeat[4022]: transport.go:125: SSL client failed to connect with: read tcp 206.189.38.124:34736->209.97.173.45:5044: read: connection reset by peer

I do not have https only http, anything wrong? thanks for anyone can help!!

Just in case , HOST ELK is logstash.conf file is needed.

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/ssl/logstash-forwarder.crt"
ssl_key => "/etc/ssl/logstash-forwarder.key"
congestion_threshold => "40"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}

date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {


(Adrian Serrano) #2

Can you look at your Logstash logs to see if any error is printed there?


(Howard) #3

thanks for your reply, life saved.

if i check this file.
/var/log/logstash/logstash-plain.log

########
[2018-06-18T14:37:04,110][INFO ][org.logstash.beats.BeatsHandler] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1, from: /206.189.38.124:34848
[2018-06-18T14:37:04,110][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:375) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:342) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:325) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:255) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:246) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:877) [netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144) [netty-all-4.1.3.Final.jar:4.1.3.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1
at org.logstash.beats.BeatsParser.decode(BeatsParser.java:92) ~[logstash-input-beats-3.1.31.jar:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
... 10 more

Can you help?


(system) #4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.