How to connect Winlogbeat to Elasticsearch using SSL?

Hello Team:

We are having a single node ELK configuration, In the same server we have installed Elasticsearch and kibana (8.3.3)

As per the guide if we are installing the Elasticsearch generates own SSL configuration default.

  • elasticsearch.yml:
cluster.name: es-application
node.name: node-1
network.host: 192.168.40.147
http.port: 9200
discovery.seed_hosts: ["192.168.40.147"]
path.data: /home/log/elasticsearch/data
path.logs: /home/log/elasticsearch/log
xpack.security.enabled: true
xpack.security.enrollment.enabled: true
xpack.security.http.ssl:
  enabled: true
  keystore.path: certs/http.p12
xpack.security.transport.ssl:
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12
cluster.initial_master_nodes: ["node-1"]

windoiws client

winlogbeat.yml:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: System
  - name: Security
  - name: Microsoft-Windows-Sysmon/Operational
  - name: Windows PowerShell
    event_id: 400, 403, 600, 800
  - name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
  - name: ForwardedEvents
    tags: [forwarded]
setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false
setup.kibana:
  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  host: "192.168.40.147:5601"
  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:
output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["https://192.168.40.147:9200"]
  username: "elastic"
  password: "AFBi4qPxGkuRNJ"
  ssl:
    enabled: true
    ca_trusted_fingerprint: “014764bb6e1ffc6e5564a92c1ab0dv5e6c79315b41ce2b71b1e038dfc14c9f86”
  # Protocol - either `http` (default) or `https`.
  #protocol: "https"
  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  # Pipeline to route events to security, sysmon, or powershell pipelines.
  pipeline: "winlogbeat-%{[agent.version]}-routing"
  # The Logstash hosts
  #hosts: ["localhost:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"]
  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"
  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"
processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
    # Set to true to enable instrumentation of winlogbeat.
    #enabled: false
    # Environment in which winlogbeat is running on (eg: staging, production, etc.)
    #environment: ""
    # APM Server hosts to report instrumentation results to.
    #hosts:
    #  - http://localhost:8200
    # API Key for the APM Server(s).
    # If api_key is set then secret_token will be ignored.
    #api_key:
    # Secret token for the APM Server(s).
    #secret_token:

My problem is with the SSL configuration (Of the Winlogbeat) I just can't get it right for some reason.

This is the error I get on the windows machine after running the setup command

Exiting: couldn't connect to any of the configured Elasticsearch hosts. Errors: [error connecting to Elasticsearch at https://192.168.40.147:9200: Get "https://192.168.40.147:9200": decode 'ca_trusted_fingerprint': encoding/hex: invalid byte: U+00E2 'â']

Hello there!
Please look at this: link.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.