Hi all!
We've set up Logstash to collect Filebeat data via the beats plugin:
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/ca.cert.pem"]
ssl_certificate => "/etc/logstash/certs/server.cert.pem"
ssl_key => "/etc/logstash/server.pem"
ssl_verify_mode => "force_peer"
type => "logs"
}
}
Logstash starts using this configuration (filter section is empty for now, all output goes to stdout). The Logstash server is on a different network segment than the Filebeat server so we opened the firewall to let Filebeat traffic pass. We've verified with telnet that we can actually connect to the Logstash server. A tcpdump on the Logstash server shows that packets arrive and everything's fine. Filebeat is configured like this in the output section:
output:
logstash:
hosts: ["server.fqdn.here:5044"]
tls:
certificate_authorities: ["/etc/filebeat/ca.cert.pem"]
certificate: "/etc/filebeat/filebeat-client.cert.pem"
certificate_key: "/etc/filebeat/filebeat-client.key.pem"
When we start Filebeat with this configuration, we get the following error messages:
transport.go:125: ERR SSL client failed to connect with: EOF
single.go:126: INFO Connecting error publishing events (retrying): EOF
single.go:152: INFO send fail
single.go:159: INFO backoff retry: 16s
We can see in the tcpdump output that packets are exchanged between Logstash and Filebeat servers, however, we don't see why the connection fails. All the solutions in other posts in the forum to the "ERR SSL client failed to connect with: EOF" error don't seem to work for us. Also, changing
ssl_verify_mode => "force_peer"
to
ssl_verify_mode => "peer"
didn't work either. Please note that we have FQDNs in the certificates (own private CA without Intermediate CAs) and use the FQDN in the Filebeat configuration. We don't have SANs in the certificates.
We have the following software versions installed:
- Logstash: 2.2.4,
- Beats input plugin: 2.2.8,
- Filebeat: 1.2.1
It'd be great if someone could point us in the right direction. Running Logstash with "-v --debug --verbose" didn't yield any useful output. Any help would be highly appreciated. Thanks!
cs1