Logstash unexpected message - crypto/rsa verification error

dkdlv38 · March 17, 2021, 11:03am

Hi all,

I'm new here and I have an issue with the configuration of my Windows machines sending logs to a Logstash server through Winlogbeat (for what I understand as I recovered this installation undocumented from a colleague who left the company).

The error I have on the client side is:

|2021-03-17T11:41:22.083+0100|ERROR|pipeline/output.go:100|Failed to connect to backoff(async(tcp://1.2.3.4:5044)): crypto/rsa: verification error|
|---|---|---|---|
|2021-03-17T11:41:22.083+0100|INFO|pipeline/output.go:93|Attempting to reconnect to backoff(async(tcp://1.2.3.4:5044)) with 20 reconnect attempt(s)|

The error I have on the server (among others):

Mar 17 11:20:32 syslog.domain.tld logstash[23278]: [2021-03-17T11:20:32,558][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 1.2.3.5:64678] Handling exception: javax.net.ssl.SSLProtocolException: Received fatal alert: unexpected_message

My elastic stack is in version 6.6.0 and so does the Winlogbeat client.

I have the crypto/rsa: verification error on another client that can communicate (badly, but that is another issue [of encoding] I will solve later), I guess it is because of the setting " ssl.verification_mode: "none". I copied/paste the winlogbeat.yml file and ssl folder from the working client to the non-working one unsuccessfully.

What other informations can be useful for you to help me understand where I did something wrong?

Thanks in advance anyway

Badger · March 17, 2021, 4:43pm

The winlogbeat.yml sections for the output and ssl configuration, plus the logstash input section for the beats input.

Personally, in any configuration where I would be willing to use ssl.verification_mode: "none" I would just turn off TLS, since you have no security without verification.

dkdlv38 · March 18, 2021, 11:04am

Thank for your help, Badger. Here are the information I have:

On the client side:
winlogbeat.yml

output.logstash:
  # The Logstash hosts
  hosts: ["1.2.3.4:5044"] # syslog server with logstash installed
  protocol: "https"

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["C:\\Program Files\\Winlogbeat\\ssl\\ca.pem"]

  # Certificate for SSL client authentication
  ssl.certificate: "C:\\Program Files\\Winlogbeat\\ssl\\client.pem"

  # Client Certificate Key
  ssl.key: "C:\\Program Files\\Winlogbeat\\ssl\\client.key"
  
  # SSL
  ssl.enabled: true
  ssl.verification_mode: "none"

On the syslog server side :
winlogbeat.conf in /etc/logstash/conf.d/

input {
  beats {
    port => 5044
    host => "1.2.3.4" # the IP address of the very server it is installed on
    ssl => true
    ssl_certificate_authorities => ["/etc/logstash/ssl/ca.pem"]
    ssl_certificate => "/etc/logstash/ssl/syslog.pem"
    ssl_key => "/etc/logstash/ssl/syslog-pkcs8.key"
    ssl_verify_mode => "none"
    tags => ['winlogbeat-ssl']
    id => 'winlogbeat-ssl-input'
###### something I tried for my encoding issue ######
    codec => plain {
      charset => "ISO-8859-1"
    }
#########################################
  }
}

Kibana and elasticsearch are installed on another server.

Honestly, I don't really understand the global picture of this installation and I am not 100% sure that the machine which is communicating with logstash is really communicating through winlogbeat as I didn't find any clue that this machine is really speaking with the syslog server trough the port 5044 (but my verification should have been wrong).

Any help I can get is precious and apreciated!

dkdlv38 · March 30, 2021, 12:30pm

My issue was related to a bug in our version of openssl (OpenSSL 1.1.0j): I recreated the certificates from another server and everything is ok now