I'm new here and I have an issue with the configuration of my Windows machines sending logs to a Logstash server through Winlogbeat (for what I understand as I recovered this installation undocumented from a colleague who left the company).
The error I have on the client side is:
|2021-03-17T11:41:22.083+0100|ERROR|pipeline/output.go:100|Failed to connect to backoff(async(tcp://1.2.3.4:5044)): crypto/rsa: verification error|
|---|---|---|---|
|2021-03-17T11:41:22.083+0100|INFO|pipeline/output.go:93|Attempting to reconnect to backoff(async(tcp://1.2.3.4:5044)) with 20 reconnect attempt(s)|
The error I have on the server (among others):
Mar 17 11:20:32 syslog.domain.tld logstash[23278]: [2021-03-17T11:20:32,558][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 1.2.3.5:64678] Handling exception: javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message
My elastic stack is in version 6.6.0 and so does the Winlogbeat client.
I have the crypto/rsa: verification error on another client that can communicate (badly, but that is another issue [of encoding] I will solve later), I guess it is because of the setting " ssl.verification_mode: "none". I copied/paste the winlogbeat.yml file and ssl folder from the working client to the non-working one unsuccessfully.
What other informations can be useful for you to help me understand where I did something wrong?
The winlogbeat.yml sections for the output and ssl configuration, plus the logstash input section for the beats input.
Personally, in any configuration where I would be willing to use ssl.verification_mode: "none" I would just turn off TLS, since you have no security without verification.
Thank for your help, Badger. Here are the information I have:
On the client side:
winlogbeat.yml
output.logstash:
# The Logstash hosts
hosts: ["1.2.3.4:5044"] # syslog server with logstash installed
protocol: "https"
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["C:\\Program Files\\Winlogbeat\\ssl\\ca.pem"]
# Certificate for SSL client authentication
ssl.certificate: "C:\\Program Files\\Winlogbeat\\ssl\\client.pem"
# Client Certificate Key
ssl.key: "C:\\Program Files\\Winlogbeat\\ssl\\client.key"
# SSL
ssl.enabled: true
ssl.verification_mode: "none"
On the syslog server side :
winlogbeat.conf in /etc/logstash/conf.d/
input {
beats {
port => 5044
host => "1.2.3.4" # the IP address of the very server it is installed on
ssl => true
ssl_certificate_authorities => ["/etc/logstash/ssl/ca.pem"]
ssl_certificate => "/etc/logstash/ssl/syslog.pem"
ssl_key => "/etc/logstash/ssl/syslog-pkcs8.key"
ssl_verify_mode => "none"
tags => ['winlogbeat-ssl']
id => 'winlogbeat-ssl-input'
###### something I tried for my encoding issue ######
codec => plain {
charset => "ISO-8859-1"
}
#########################################
}
}
Kibana and elasticsearch are installed on another server.
Honestly, I don't really understand the global picture of this installation and I am not 100% sure that the machine which is communicating with logstash is really communicating through winlogbeat as I didn't find any clue that this machine is really speaking with the syslog server trough the port 5044 (but my verification should have been wrong).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
