Filebeat SSL to logstash


#1

hi,
I have a problem with filebeat sending logs to logstash when I use SSL(filebeat 5.3.0 logstash 5.2.2).

That is my config
filebeat :

output.logstash:
hosts: ["127.0.0.1:5044"]
ssl.enabled: true
ssl.supported_protocols: [TLSv1.2]
ssl.certificate_authorities: ["/usr/ELK/ca/test/ca.crt"]

logstash:

beats {
port => 5044
ssl => true
ssl_certificate => "/usr/ELK/ca/test/server.crt"
ssl_key => "/usr/ELK/ca/test/pserver.key"
}

It always show the error
2017/05/03 10:13:04.389987 sync.go:85: ERR Failed to publish events caused by:
read tcp 127.0.0.1:50527->127.0.0.1:5044: read: connection reset by peer
2017/05/03 10:13:04.390041 single.go:91: INFO Error publishing events (retrying):
read tcp 127.0.0.1:50527->127.0.0.1:5044: read: connection reset by peer

But when I "curl -v --tlsv1.2 --cacert /usr/ELK/ca/test/ca.crt https://127.0.0.1:5044"
it worked well. I have no idea what problems is.


(Andrew Kroh) #2

Please check your indentation in the Beat config. I couldn't tell due to the formatting of your post, but it should look like this.

output.logstash:
  hosts: ["127.0.0.1:5044"]
  ssl.enabled: true
  ssl.supported_protocols: [TLSv1.2]
  ssl.certificate_authorities: ["/usr/ELK/ca/test/ca.crt"]

#3

Thank you for your reply, I edited it wrongly on the web.But the filebeat config is the same as what you posted.
Is any other thing wrong which cause the SSL fault?


(Steffen Siering) #4

The error message notes the connection being closed by Logstash. This can happen during TLS handshake or much later due to logstash timing out inactive connections. Try to ramp up the connectivity timeout in the beats input in Logstash. Also, have you checked the logstash-input-beats plugin version installed with your Logstash? Updating the plugin or moving to Logstash 5.4 might help here as well, as a few older versions of the plugin are prone to close perfectly valid connections.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.