Hello there,
I am installing the ELK stack on a new server, everything seems to be going well except for logstash. From the ELK server's /var/log/logstash/logstash-plain.log am getting:
[ERROR][logstash.inputs.beats ] Looks like you either have an invalid key or your private key was not in PKCS8 format. {:exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/pki/tls/private/logstash-forwarder.key}
From remote clients /var/log/syslog running filebeat i'm getting:
/usr/bin/filebeat[6968]: transport.go:125: SSL client failed to connect with: read tcp <filebeat-client>:37342-><elk-server>:5044: i/o timeout and I get essentially the same message from winlogbeat:
ERR Connecting error publishing events (retrying): read tcp <client-ip>:61676-><server-ip>:5044: i/o timeout
server's /etc/logstash/conf.d/02-beats-input.conf (assume indentation):
input { beats { port => 5044 ssl => true ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt" ssl_key => "/etc/pki/tls/private/logstash-forwarder.key" } }
I generated the keypair with:
openssl req -subj '/CN=<servers-fqdn>/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash-forwarder.key -out certs/logstash-forwarder.crt
I have tried creating the keypair with the CN (Common Name (hostname)) and the FQDN as suggested above.
Is there actually something wrong with the SSL portion of my setup or something else? I am on Debian 9 Stretch amd64, using package default-jre (openjdk-8-jre).
May be unrelated but if I do systemctl status logstash -l I see:
Jul 07 11:49:21 <server> systemd[1]: Started logstash. Jul 07 11:49:35 <server> logstash[9609]: ERROR StatusLogger No log4j2 configuration file found. Using default configuration: logging only errors to the console. Jul 07 11:49:37 <server> logstash[9609]: Sending Logstash's logs to /var/log/logstash which is now configured via log4j2.properties Jul 07 11:49:38 <server> logstash[9609]: log4j:WARN No appenders could be found for logger (org.apache.http.client.protocol.RequestAuthCache). Jul 07 11:49:38 <server> logstash[9609]: log4j:WARN Please initialize the log4j system properly. Jul 07 11:49:38 <server> logstash[9609]: log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Despite the messages above the service is running, stays running, and netstat -plant | grep 5044 shows java listening on that port... only for ipv6 though it seems.
tcp6 0 0 :::5044 :::* LISTEN 9609/java
Elasticsearch, Kibana, and Logstash were installed using the .deb packages provided by elastic.co today...
elasticsearch-5.5.0.deb
kibana-5.5.0-amd64.deb
logstash-5.5.0.deb
Thanks for reading and thanks in advance for the help!
-Bradford