Logstash 7.8 beats input with SSL throws error

frankfoti · July 30, 2020, 7:28pm

I added the SSL to the beats input and now the pipline throws an error. Cert and key are verified. See below 1) Config, 2) Cert and Key verify and 3) error in pipeline log.

input {
  beats {
    port => 5046
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/ca.crt"]
    ssl_certificate => "/etc/logstash/siem-logstash-01.crt"
    ssl_key => "/etc/logstash/siem-logstash-01.key"
    ssl_verify_mode => "force_peer"
  }
}

curl -XGET -u elastic:******** --cacert /etc/logstash/ca.crt --cert /etc/logstash/siem-logstash-01.crt --key /etc/logstash/siem-logstash-01.key 'https://siem-elasticsearch-01:9200/_cluster/health?pretty'
{
  "cluster_name" : "siem-poc",
  "status" : "green",
  "timed_out" : false,
  "number_of_nodes" : 1,
  "number_of_data_nodes" : 1,
  "active_primary_shards" : 62,
  "active_shards" : 62,
  "relocating_shards" : 0,
  "initializing_shards" : 0,
  "unassigned_shards" : 0,
  "delayed_unassigned_shards" : 0,
  "number_of_pending_tasks" : 0,
  "number_of_in_flight_fetch" : 0,
  "task_max_waiting_in_queue_millis" : 0,
  "active_shards_percent_as_number" : 100.0
}

Error in logstash log:
[2020-07-30T19:04:50,184][ERROR][logstash.agent           ] Failed to execute action {:id=>:beats, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<beats>, action_result: false", :backtrace=>nil}

arun.vtec · August 6, 2020, 9:38am

Hello,

I am facing the same issue.
My config file has one additional parameter - ssl_key_passphrase - under beats { }

d.silwon · August 6, 2020, 9:51am

Hello @frankfoti

We had similar issue and sollution we found here:
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html

ie:
" SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information."

I converted pem key to pkcs8 in this way:

cd /etc/logstash/certs/
openssl pkcs8 -in node1.key -topk8 -nocrypt -out node1.p8
chown root.logstash node.p8

and change configuration file to:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/certs/ca.crt"]
    ssl_certificate => "/etc/logstash/certs/node1.crt"
    ssl_key => "/etc/logstash/certs/node1.p8"
    ssl_verify_mode => "force_peer"
  }
}

Please try this.

frankfoti · August 6, 2020, 11:55am

That did the trick. Thanks

system · September 3, 2020, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash beats input cant start with ssl enabled Logstash	4	764	October 26, 2020
Beats input ssl problem Logstash	1	1076	November 19, 2019
Logstash beats input doesn't find certificates Logstash	2	1041	July 6, 2017
Beats input plugin cannot read password protected ssl key Logstash	3	760	July 19, 2019
Filebeat could not connect to logstash on SSL Beats filebeat	6	3945	November 30, 2018

Logstash 7.8 beats input with SSL throws error

Related topics