Filebeat Client TLS connection failed to ELK Host

Target is to use Filebeat Client uses TLS connection failed to ELK Host

telnet shows work as following.

telnet 209.xx.173.45 5044

Trying 209.xx.173.45...
Connected to 209.97.173.45.
Escape character is '^]'.


Certification is there

/etc/pki/tls/certs/logstash-forwarder.crt

My filebeat.yml

filebeat:
prospectors:
-
paths:
- /var/log/auth.log
- /var/log/syslog
input_type: log
document_type: syslog
registry_file: /var/lib/filebeat/registry

output:
logstash:
enabled: true
hosts: ["209.97.173.45:5044"]
bulk_max_size: 1024
tls:
certificate_authorities: ["/etc/pki/tls/certs/logstash-forwarder.crt"]

after start. then I check
sudo systemctl status filebeat
Error message as following:

Jun 18 14:06:03 Client05 /usr/bin/filebeat[4022]: transport.go:125: SSL client failed to connect with: read tcp 206.189.38.124:34736->209.97.173.45:5044: read: connection reset by peer

I do not have https only http, anything wrong? thanks for anyone can help!!

Just in case , HOST ELK is logstash.conf file is needed.

input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/ssl/logstash-forwarder.crt"
ssl_key => "/etc/ssl/logstash-forwarder.key"
congestion_threshold => "40"
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGLINE}" }
}

date {
match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
output {
elasticsearch {
hosts => localhost
index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
}
stdout {

Can you look at your Logstash logs to see if any error is printed there?

thanks for your reply, life saved.

if i check this file.
/var/log/logstash/logstash-plain.log

########
[2018-06-18T14:37:04,110][INFO ][org.logstash.beats.BeatsHandler] Exception: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1, from: /206.189.38.124:34848
[2018-06-18T14:37:04,110][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:375) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:342) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:325) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:255) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.channel.AbstractChannelHandlerContext$4.run(AbstractChannelHandlerContext.java:246) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:877) [netty-all-4.1.3.Final.jar:4.1.3.Final]
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144) [netty-all-4.1.3.Final.jar:4.1.3.Final]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_171]
Caused by: org.logstash.beats.BeatsParser$InvalidFrameProtocolException: Invalid Frame Type, received: 1
at org.logstash.beats.BeatsParser.decode(BeatsParser.java:92) ~[logstash-input-beats-3.1.31.jar:?]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411) ~[netty-all-4.1.3.Final.jar:4.1.3.Final]
... 10 more

Can you help?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.