Hello,
I am encountering some Problems while trying to secure Filebeat&Logstash.
Scenario:
I created my own RootCA and signed certificates with it. My Kibana-Webserver for example is signed with this Certificate, but I also tried to sign it with the elastic-stack-ca.p12
After completing this Tutorial: Secure communication with Logstash | Filebeat Reference [7.14] | Elastic
My Logstash Service wont start with : logstash --setup. If I just start Logstash with systemctl, the Port does not open.. And i need the port to open for filebeat to work
Here is the output of logstash --setup:
[INFO ] 2021-09-21 15:24:24.482 [main] runner - Starting Logstash {"logstash.version"=>"7.14.1", "jruby.version"=>"jruby 9.2.19.0 (2.5.8) 2021-06-15 55810c552b OpenJDK 64-Bit Server VM 11.0.11+9 on 11.0.11+9 +indy +jit [linux-x86_64]"}
[INFO ] 2021-09-21 15:24:25.551 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2021-09-21 15:24:25.828 [Converge PipelineAction::Create<main>] Reflections - Reflections took 47 ms to scan 1 urls, producing 120 keys and 417 values
[WARN ] 2021-09-21 15:24:26.399 [Converge PipelineAction::Create<main>] beats - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[WARN ] 2021-09-21 15:24:26.447 [Converge PipelineAction::Create<main>] elasticsearch - Relying on default value of `pipeline.ecs_compatibility`, which may change in a future major release of Logstash. To avoid unexpected changes when upgrading Logstash, please explicitly declare your desired ECS Compatibility mode.
[INFO ] 2021-09-21 15:24:26.487 [[main]-pipeline-manager] elasticsearch - New Elasticsearch output {:class=>"LogStash::Outputs::ElasticSearch", :hosts=>["https://IP:9200"]}
[INFO ] 2021-09-21 15:24:26.672 [[main]-pipeline-manager] elasticsearch - Elasticsearch pool URLs updated {:changes=>{:removed=>[], :added=>[https://IP:9200/]}}
[WARN ] 2021-09-21 15:24:26.826 [[main]-pipeline-manager] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://IP:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://IP:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
[INFO ] 2021-09-21 15:24:26.879 [[main]-pipeline-manager] javapipeline - Starting pipeline {:pipeline_id=>"main", "pipeline.workers"=>4, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>50, "pipeline.max_inflight"=>500, "pipeline.sources"=>["/etc/logstash/conf.d/sample.conf"], :thread=>"#<Thread:0x3318e003 run>"}
[INFO ] 2021-09-21 15:24:27.396 [[main]-pipeline-manager] javapipeline - Pipeline Java execution initialization time {"seconds"=>0.52}
[INFO ] 2021-09-21 15:24:27.422 [[main]-pipeline-manager] beats - Starting input listener {:address=>"IP:5044"}
[INFO ] 2021-09-21 15:24:27.635 [[main]-pipeline-manager] javapipeline - Pipeline started {"pipeline.id"=>"main"}
[INFO ] 2021-09-21 15:24:27.733 [[main]<beats] Server - Starting server on port: 5044
[INFO ] 2021-09-21 15:24:27.747 [Agent thread] agent - Pipelines running {:count=>1, :running_pipelines=>[:main], :non_running_pipelines=>[]}
[WARN ] 2021-09-21 15:24:31.869 [Ruby-0-Thread-9: :1] elasticsearch - Attempted to resurrect connection to dead ES instance, but got an error {:url=>"https://IP:9200/", :exception=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::HostUnreachableError, :message=>"Elasticsearch Unreachable: [https://IP:9200/][Manticore::ClientProtocolException] PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"}
logstash.yml is empty, no port or host defined but here is the logstash.conf:
input {
beats {
host => "IP"
port => 5044
ssl => true
ssl_certificate_authorities => ["<path to ca1>","<path to ca2>","<path to ca3>"]
ssl_certificate => "logstash.crt"
ssl_key => "logstash.key"
ssl_verify_mode => "peer"
}
}
output {
elasticsearch {
hosts => ["https://IP:9200"]
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
#user => "kibana"
#password => "pass"
}
}
Please let me know if you need more Information.