Filebeat communication with logstash

MatheusGuizolfi · October 13, 2016, 1:22pm

I tried this way and did not work.

Execute: "curl -v --cacert certificate.pem https://logstash:5044" retorna:

* Rebuilt URL to: https://logstash:5044/ https://logstash:5044/
* Hostname was NOT found in DNS cache 
* Trying 172.18.0.3... 
* Connected to logstash (XXXXXXXXXXXXX) port 5044 (#0)
 * successfully set certificate verify locations: 
* CAfile: /caminhocertificado/filebeat.pem CApath: /etc/ssl/certs
 * SSLv3, TLS handshake, Client hello (1): 
* SSLv3, TLS handshake, Server hello (2): 
* SSLv3, TLS handshake, CERT (11):
 * SSLv3, TLS handshake, Server key exchange (12):
 * SSLv3, TLS handshake, Server finished (14): 
* SSLv3, TLS handshake, Client key exchange (16): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSLv3, TLS change cipher, Client hello (1): 
* SSLv3, TLS handshake, Finished (20): 
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA 
* Server certificate: 
* subject: CERTIFICATE INFORMATIONS 
* start date: 2016-10-10 19:39:23 GMT 
* expire date: 2017-10-10 19:49:23 GMT 
* common name: COMMONNAME(matched) 
* issuer: CN=COMMONNAME 
* SSL certificate verify ok. 
> GET / HTTP/1.1 
> User-Agent: curl/7.38.0 
> Host: logstash:5044 
> Accept: */* 
> * SSLv3, TLS alert, Client hello (1):
 * Empty reply from server 
* Connection #0 to host logstash left intact curl: (52) Empty reply from server

==========================================================================

CONFIGURATION LOGSTASH:

input {
  beats{
    port => 5044
    congestion_threshold => 1000000
    ssl => true
    #ssl_certificate_authorities => ["/path/to/cert/certificado.pem"] #Certificate installed on machine
    ssl_certificate => "/path/to/cert/logstash.crt"
    ssl_key => "/path/to/cert/private.key"
    ssl_key_passphrase => "XXXXXXXXXXXX"
  }
}

==========================================================================
CONFIGURATION FILEBEAT:

output:
  logstash:
    enabled: true
    hosts: ["logstash:5044"]
    #worker: 4
  tls:
    certificate_authorities: ["/path/to/cert/filebeat.pem"]
    certificate: "/path/to/cert/filebeat.pem"

==========================================================================

ERRO:

2016/10/13 12:58:24.414608 output.go:87: DBG  output worker: publish 2048 events
2016/10/13 12:58:24.414649 client.go:146: DBG  Try to publish 2048 events to logstash with window size 10
2016/10/13 12:58:24.421024 client.go:105: DBG  close connection
2016/10/13 12:58:24.421106 client.go:124: DBG  0 events out of 2048 events sent to logstash. Continue sending ...
2016/10/13 12:58:24.421224 single.go:77: INFO Error publishing events (retrying): write tcp XXXXXXXXXX:39396->XXXXXXXXXX:5044: write: broken pipe
2016/10/13 12:58:24.421263 single.go:154: INFO send fail
2016/10/13 12:58:24.421297 single.go:161: INFO backoff retry: 1s
2016/10/13 12:58:25.421665 client.go:100: DBG  connect
2016/10/13 12:58:25.423129 client.go:146: DBG  Try to publish 2048 events to logstash with window size 5
2016/10/13 12:58:25.425776 client.go:105: DBG  close connection
2016/10/13 12:58:25.425910 client.go:124: DBG  0 events out of 2048 events sent to logstash. Continue sending ...
2016/10/13 12:58:25.425942 single.go:77: INFO Error publishing events (retrying): EOF
2016/10/13 12:58:25.425962 single.go:154: INFO send fail
2016/10/13 12:58:25.425981 single.go:161: INFO backoff retry: 2s

tudor · October 14, 2016, 10:56am

Can you post version information for FIlebeat, LS and the logstash-beats-input plugin?

Do you see any errors in the Logstash logs?

Please also run: openssl s_client -connect localhost:5044 -CAfile /path/to/cert/filebeat.pem

system · November 3, 2016, 1:22pm

This topic was automatically closed after 21 days. New replies are no longer allowed.