Logstash 7.8 beats input with SSL throws error

I added the SSL to the beats input and now the pipline throws an error. Cert and key are verified. See below 1) Config, 2) Cert and Key verify and 3) error in pipeline log.

input {
  beats {
    port => 5046
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/ca.crt"]
    ssl_certificate => "/etc/logstash/siem-logstash-01.crt"
    ssl_key => "/etc/logstash/siem-logstash-01.key"
    ssl_verify_mode => "force_peer"
  }
}

curl -XGET -u elastic:******** --cacert /etc/logstash/ca.crt --cert /etc/logstash/siem-logstash-01.crt --key /etc/logstash/siem-logstash-01.key 'https://siem-elasticsearch-01:9200/_cluster/health?pretty'
{
  "cluster_name" : "siem-poc",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 62,
  "active_shards" : 62,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Error in logstash log:
[2020-07-30T19:04:50,184][ERROR][logstash.agent           ] Failed to execute action {:id=>:beats, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<beats>, action_result: false", :backtrace=>nil}
1 Like

Hello,

I am facing the same issue.
My config file has one additional parameter - ssl_key_passphrase - under beats { }

Hello @frankfoti

We had similar issue and sollution we found here:
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html

ie:
" SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information."

I converted pem key to pkcs8 in this way:

cd /etc/logstash/certs/
openssl pkcs8 -in node1.key -topk8 -nocrypt -out node1.p8
chown root.logstash node.p8

and change configuration file to:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_certificate => "/etc/logstash/certs/node1.crt"
    ssl_key => "/etc/logstash/certs/node1.p8"
    ssl_verify_mode => "force_peer"
  }
}

Please try this.

That did the trick. Thanks