Logstash with Filebeat transfer over TLS

pleegor · March 16, 2017, 4:08am

Hi,

I have configured ELK and client with filebeat as 2 VMs on Vagnrant/VirtualBox. When enable TLS I am not able ship logs to logstash.
/etc/logstash/conf.d/02-beats-input.conf

input {
  beats {
    port => 5044
    type => "JSON"
    ssl => true
    ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
    ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
    congestion_thershold => 1000
  }
}

This are the errors I see when I am running filebeat in debug mode:

2017/03/16 04:03:14.891341 single.go:140: ERR Connecting error publishing events (retrying): dial tcp 192.168.0.10:5044: getsockopt: connection refused
    2017/03/16 04:03:14.891355 single.go:156: DBG  send fail
    2017/03/16 04:03:16.888734 prospector.go:156: DBG  Run prospector
    2017/03/16 04:03:16.888770 prospector_log.go:62: DBG  Start next scan
    2017/03/16 04:03:16.888912 prospector_log.go:212: DBG  Check file for harvesting: /var/log/messages
    2017/03/16 04:03:16.888938 prospector_log.go:245: DBG  Update existing file for harvesting: /var/log/messages, offset: 337603
    2017/03/16 04:03:16.888977 prospector_log.go:297: DBG  Harvester for file is still running: /var/log/messages
    2017/03/16 04:03:16.888982 prospector_log.go:212: DBG  Check file for harvesting: /var/log/secure
    2017/03/16 04:03:16.888987 prospector_log.go:245: DBG  Update existing file for harvesting: /var/log/secure, offset: 145695
    2017/03/16 04:03:16.888990 prospector_log.go:299: DBG  File didn't change: /var/log/secure
    2017/03/16 04:03:16.889007 prospector_log.go:83: DBG  Prospector states cleaned up. Before: 2, After: 2
    2017/03/16 04:03:16.889025 spooler.go:89: DBG  Flushing spooler because of timeout. Events flushed: 0
    2017/03/16 04:03:18.891840 sync.go:53: DBG  connect

When I remove SSL part of logstash.config logs are being shipped to Logstash without any problem. I also able to telnet on port 5044 and when I run curl -v --cacert logstash-forwarder.crt http://192.168.0.10:5044 I get the following:

curl -v --cacert logstash-forwarder.crt https://192.168.0.10:5044
* About to connect() to 192.168.0.10 port 5044 (#0)
*   Trying 192.168.0.10...
* Connected to 192.168.0.10 (192.168.0.10) port 5044 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Closing connection 0
curl: (77) Problem with the SSL CA cert (path? access rights?)

When SSL part of in place none (telnet and curl) work. I can provide filebeat.yml if it is needed. Did anyone face similar problem?

system · April 13, 2017, 4:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.