Filebeat to Logstash connection fails

prodrg · March 13, 2017, 8:38pm

Hello guys,

I'm trying to connect a Filebeat instance with Logstash. Filebeat and Logstash are on version 5.2.1. These are my config files.

filebeat.yml

output.logstash:
  hosts: ["130.164.67.34:5044"]
  ssl.certificate_authorities: ["/etc/pki/tls/certs/ca.crt"]
  ssl.certificate: "/etc/pki/tls/certs/filebeat.crt"
  ssl.key: "/etc/pki/tls/private/filebeat.key"

beats-input.conf

input {
  beats {
    port => 5044
    ssl_certificate_authorities => ["/etc/pki/tls/certs/filebeat-certs/ca.crt"]
    ssl_certificate => "/etc/pki/tls/certs/filebeat-certs/filebeat.crt"
    ssl_key => "/etc/pki/tls/certs/filebeat-certs/filebeat.key"
  }
}

I receive the following error on Filebeat logs

ERR Connecting error publishing events (retrying): read tcp 130.164.15.237:55565->130.164.67.34:5044: read: connection reset by peer

What could it be? Or what can I do?
Thanks

prodrg · March 13, 2017, 8:36pm

Ok, after generating a new certificate, I get the following error instead on Filebeat logs:

2017-03-13T15:22:43-05:00 ERR Connecting error publishing events (retrying): x509: certificate signed by unknown authority

I created the certificate by using the following instruction:

openssl req -x509 -batch -nodes -newkey rsa:2048 -keyout new-cert.key -out new-cert.crt -subj /CN=<hostname.com>

And even, there are times I get this error on Logstash logs:

{:timestamp=>"2016-10-24T11:11:48.384000+0200", :message=>"Looks like you either have an invalid key or your private key was not in PKCS8 format.", :exception=>java.lang.IllegalArgumentException: Unsupported ciphersuite TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA38, :level=>:error}

Do you have a recommended method to generate those certificates?

steffens · March 14, 2017, 12:21am

have you checked: https://www.elastic.co/guide/en/beats/filebeat/current/securing-filebeat.html

prodrg · March 14, 2017, 2:20pm

@steffens Thanks for your help.

Yes, I have. But no luck at all. I can't test the certificate with curl because I receive a NSS error -5961 (PR_CONNECT_RESET_ERROR), and the only alternative I have is to compile Curl without NSS, which I can't do right now because I'm not allowed to do it yet. But I will try to generate another certificate, just in case.

steffens · March 14, 2017, 2:58pm

have you resolved the logstash issue?

prodrg · March 15, 2017, 2:26pm

For the Logstash error, I guess I have to transform the key file into the PKCS8 format. I will check the command for that.

UPDATE: @steffens I generated another certificate, and it seems to work for now. For the Logstash stuff, I had to transform the .key file into a .p8 file. The error message is gone.

system · April 11, 2017, 3:10pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.