I am using the 5.0.x versions of both filebeat and logstash.
My filebeat config is as follows:
filebeat.prospectors:
- input_type: log
paths:
- /var/log/apache2/access.log
output.logstash:
hosts: ["192.168.0.4:5044"]
bulk_max_size: 1024
ssl_certificate: "/opt/logstash-forwarder.crt"
key: "filebeat"
timeout: 5
document_type: apache
index: filebeat
The error that I see in logstash is
[ERROR][org.logstash.beats.BeatsHandler] Exception: not an SSL/TLS record: 32570000000a3243000002752266948517b939bd86bcd7ce79c193b78ee795ecdf36a5f8e70ad679cded14ea33a42f7b930a830b7bbe8e3b6d10e1576b2dc6c1bedf0d81ffd3feb17fbeec3c82d3d53967a7778046f0424e08411ce25d4a10eefb8a04f4d4a03c623c5b962b10a4278c81863ef21c1f5672da0b0d16abda69cf00421600c848c21c17a8290e0963dccf25c534918acb4b3fe8efd54c2cb1644247c04ed57ed48acc2e3a2c84ddb6c6f668ecab041c2085636375a5b2f7cc8b33d03eb26ddb3abf0a43bb03d43a5208c044dc1481cc31bddd1838ccab041c22841f4b12aff08bbb6747ddd1b16a50b9d764d803e1e984199d93e2a9484138e3e8e5d72ece39acb7aa674ba57a0c261d9751ed4b96871a178a4c2880441fc167d2cedfe201d1e4f0ff480e67697fe7a0ed5696aca9254386ca7531a878a37a3e39f006f785eedfb94002f9e59471f64a9ed932cb5700a9f6002248b20c1ae7385a2273591c3ccf6c9c7922e17ea04d073515e1c54c1a47fda5d15e19b3358f444b67f55a87f96b21757a18cf948853eceadc530bcbcf95101bce579b5af535a7441b1d1684617da7fc154c0c6faef4ce9ccf0673209242c3dc867744445f2f60c24e713b8602afcbf1a7cae0cfd8793326e8e464e45f28ee7d5be4de9c9dfb397372edc451329f6071789e5bbe8724cce0ae5dd1950ce6fcaf1a973cd6baaf5356c9ce5ca7b4b4129ce3fc0aead37f92622a3d134ac5c797f06940b5a
and my relevant part of logstash is below
input {
beats {
port => 5044
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}
I want to use this as a logstash forwarder however I can see from the filebeat error log the following:
2016-12-14T13:46:33Z INFO Harvester started for file: /var/log/apache2/access.log
2016-12-14T13:46:38Z ERR Connecting error publishing events (retrying): dial tcp 192.168.0.4:5044: getsockopt: connection refused
2016-12-14T13:46:39Z ERR Connecting error publishing events (retrying): dial tcp 192.168.0.4:5044: getsockopt: connection refused
2016-12-14T13:46:41Z ERR Connecting error publishing events (retrying): dial tcp 192.168.0.4:5044: getsockopt: connection refused
2016-12-14T13:46:45Z ERR Connecting error publishing events (retrying): dial tcp 192.168.0.4:5044: getsockopt: connection refused
2016-12-14T13:46:53Z ERR Connecting error publishing events (retrying): dial tcp 192.168.0.4:5044: getsockopt: connection refused
From the pcap file I can see that my apache server tries to communicate but a Reset Flag is coming back...
13:51:48.017430 IP apache.testing.lol.59749 > logstash.testing.lol.5044: Flags [S], seq 2990298978, win 29200, options [mss 1460,sackOK,TS val 432129306 ecr 0,nop,wscale 7], length 0
13:51:48.017464 IP logstash.testing.lol.5044 > apache.testing.lol.59749: Flags [R.], seq 0, ack 2990298979, win 0, length 0
13:51:49.017938 IP apache.testing.lol.59750 > logstash.testing.lol.5044: Flags [S], seq 1528716218, win 29200, options [mss 1460,sackOK,TS val 432129556 ecr 0,nop,wscale 7], length 0
13:51:49.017973 IP logstash.testing.lol.5044 > apache.testing.lol.59750: Flags [R.], seq 0, ack 1528716219, win 0, length 0
I suspect that my problem is on the SSL configuration... I generated the certificate by doing
sudo openssl req -config /etc/ssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
By following the guide here ==> How To Install Elasticsearch, Logstash, and Kibana (ELK Stack) on Ubuntu 14.04 | DigitalOcean
FIXED: I just had a problem in my logstash config file!!!