Hi,
i've tried the lumberjack output to utilize the graylog beats input, but it doesn't get a connection.
IDK if this is a problem on the logstash or graylog side. Does someone have tried to connect lumberjack to the beats input and got it working?
I get this messages on graylog:
2019-04-01T11:28:00.230+02:00 ERROR [AbstractTcpTransport] Error in Input [Beats/5c6acc71a0303c17f682ba78] (channel [id: 0xa2af5fea, L:/172.21.2.63:5044 ! R:/172.21.2.99:46936]) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 49)
2019-04-01T11:28:00.231+02:00 ERROR [AbstractTcpTransport] Error in Input [Beats/5c6acc71a0303c17f682ba78] (channel [id: 0xa2af5fea, L:/172.21.2.63:5044 ! R:/172.21.2.99:46936]) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 87)
2019-04-01T11:28:49.442+02:00 ERROR [AbstractTcpTransport] Error in Input [Beats/5c6acc71a0303c17f682ba78] (channel [id: 0x8e05800f, L:/172.21.2.63:5044 ! R:/172.21.2.99:46940]) (cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 10)
this on logstash:
Client write error, trying connect {:e=>#<IOError: Broken pipe>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:857:in `sysread'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-openssl-0.10.2-java/lib/jopenssl23/openssl/buffering.rb:57:in `fill_rbuff'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jruby-openssl-0.10.2-java/lib/jopenssl23/openssl/buffering.rb:98:in `read'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-lumberjack-0.0.26/lib/lumberjack/client.rb:157:in `read_version_and_type'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-lumberjack-0.0.26/lib/lumberjack/client.rb:145:in `ack'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-lumberjack-0.0.26/lib/lumberjack/client.rb:134:in `write_sync'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/jls-lumberjack-0.0.26/lib/lumberjack/client.rb:42:in `write'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-lumberjack-3.1.7/lib/logstash/outputs/lumberjack.rb:65:in `flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:219:in `block in buffer_flush'", "org/jruby/RubyHash.java:1419:in `each'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:216:in `buffer_flush'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/stud-0.0.23/lib/stud/buffer.rb:159:in `buffer_receive'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-lumberjack-3.1.7/lib/logstash/outputs/lumberjack.rb:52:in `block in register'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-codec-plain-3.0.6/lib/logstash/codecs/plain.rb:40:in `encode'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-output-lumberjack-3.1.7/lib/logstash/outputs/lumberjack.rb:59:in `receive'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in `block in multi_receive'", "org/jruby/RubyArray.java:1792:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/outputs/base.rb:89:in `multi_receive'", "org/logstash/config/ir/compiler/OutputStrategyExt.java:118:in `multi_receive'", "org/logstash/config/ir/compiler/AbstractOutputDelegatorExt.java:101:in `multi_receive'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:390:in `block in output_batch'", "org/jruby/RubyHash.java:1419:in `each'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:389:in `output_batch'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:341:in `worker_loop'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:304:in `block in start_workers'"]}
thit is the openssl output:
openssl s_client -connect graylog.domain.com:5044 -CAfile ca-pem.crt
CONNECTED(00000003)
depth=1 DC = com, DC = domain, CN = CA
verify return:1
depth=0 CN = graylog.domain.com
verify return:1
---
Certificate chain
0 s:/CN=graylog.domain.com
i:/DC=com/DC=domain/CN=CA
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=graylog.domain.com
issuer=/DC=com/DC=domain/CN=CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1972 bytes and written 269 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 485AB5E76E1FBECBDAF7027B180CD953A24505BFE0BF1C517BDBB3947ECCEB08
Session-ID-ctx:
Master-Key: 8E4A92AEFF1BB36ADF3D22331273F51D1D21AA802A988C21B787EF8CF46A7CA5BE7A3AC6837DED7869D5DF0A1CA071CE
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1554110924
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes
---
this is the input:
bind_address: 0.0.0.0
no_beats_prefix: false
number_worker_threads: 4
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: /home/rene/graylog.domain.com.crt
tls_client_auth: disabled
tls_client_auth_cert_file: <empty>
tls_enable: true
tls_key_file: /home/rene/graylog.domain.com.rsa
tls_key_password: ********
this is the logstash config:
input {
beats {
port => 5050
ssl => true
ssl_certificate => "/home/logstash/certs/agg_hag1.crt"
ssl_key => "/home/logstash/certs/agg_hag1-des-v1.pem"
ssl_key_passphrase => "PWD"
ssl_verify_mode => none
tls_min_version => 1.2
}
}
output {
lumberjack {
id => "internal_POC"
enable_metric => true
hosts => "graylog.domain.com"
port => 5044
ssl_certificate => "/home/logstash/certs/ca-pem.crt"
}
}