Logstash 7.8 beats input with SSL throws error

frankfoti · July 30, 2020, 7:28pm

I added the SSL to the beats input and now the pipline throws an error. Cert and key are verified. See below 1) Config, 2) Cert and Key verify and 3) error in pipeline log.

input {
  beats {
    port => 5046
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/ca.crt"]
    ssl_certificate => "/etc/logstash/siem-logstash-01.crt"
    ssl_key => "/etc/logstash/siem-logstash-01.key"
    ssl_verify_mode => "force_peer"
  }
}

curl -XGET -u elastic:******** --cacert /etc/logstash/ca.crt --cert /etc/logstash/siem-logstash-01.crt --key /etc/logstash/siem-logstash-01.key 'https://siem-elasticsearch-01:9200/_cluster/health?pretty'
{
  "cluster_name" : "siem-poc",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 62,
  "active_shards" : 62,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Error in logstash log:
[2020-07-30T19:04:50,184][ERROR][logstash.agent           ] Failed to execute action {:id=>:beats, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<beats>, action_result: false", :backtrace=>nil}

arun.vtec · August 6, 2020, 9:38am

Hello,

I am facing the same issue.
My config file has one additional parameter - ssl_key_passphrase - under beats { }

d.silwon · August 6, 2020, 9:51am

Hello @frankfoti

We had similar issue and sollution we found here:
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html

ie:
" SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information."

I converted pem key to pkcs8 in this way:

cd /etc/logstash/certs/
openssl pkcs8 -in node1.key -topk8 -nocrypt -out node1.p8
chown root.logstash node.p8

and change configuration file to:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_certificate => "/etc/logstash/certs/node1.crt"
    ssl_key => "/etc/logstash/certs/node1.p8"
    ssl_verify_mode => "force_peer"
  }
}

Please try this.

frankfoti · August 6, 2020, 11:55am

That did the trick. Thanks

system · September 3, 2020, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash beats input cant start with ssl enabled Logstash	4	705	October 26, 2020
Logstash beats SSL file read problem Logstash	3	1410	January 2, 2018
SSL-enabled Beat ssl_verify_mode => "none" not working as expected Logstash	3	3833	March 18, 2020
Beats input ssl problem Logstash	1	1061	November 19, 2019
Filebeat and logstash ssl config is correct? Logstash	2	215	November 15, 2022

Logstash 7.8 beats input with SSL throws error

Related topics