Securing Beats to Logstash with Public Cert (version 6.5.1)

Andrew_Griffiths · December 4, 2018, 1:37pm

Hi,

I have a public cert from globalsign for securing beats -> logstash. I just want a simple way to encrypt the data without having to create hundreds of client certs.

logstash-beats.conf
input{
beats{
host => "0.0.0.0"
port => "5043"
ssl => true
ssl_certificate_authorities => ["/etc/logstash/certs/GlobalsignCA.pem"]
ssl_certificate => "/etc/logstash/certs/logcentral.cer"
ssl_key => "/etc/logstash/certs/logcentral.key"
tls_min_version => "1.2"
cipher_suites => ['TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384']
}
}

client is winlogbeats

output.logstash:
hosts: ["logstash.logcentral.com:5043"]
index: winlogbeat
tls:
certificate_authorities: ["C:/Program Files/winlogbeats/logcentral_com.cer"]

when I test from the client
./winlogbeat -c winlogbeat.yml -e -v
ERROR logstash/async.go:256 Failed to publish events caused by: lumberjack protocol error
ERROR logstash/async.go:256 Failed to publish events caused by: client is not connected
ERROR pipeline/output.go:121 Failed to publish events: client is not connected
INFO pipeline/output.go:95 Connecting to backoff(async(tcp://logstash.logcentral.com:5043))
INFO pipeline/output.go:105 Connection to backoff(async(tcp://logstash.logcentral.com:5043)) established
ERROR logstash/async.go:256 Failed to publish events caused by: lumberjack protocol error
ERROR logstash/async.go:256 Failed to publish events caused by: client is not connected
ERROR pipeline/output.go:121 Failed to publish events: client is not connected
INFO pipeline/output.go:95 Connecting to backoff(async(tcp://logstash.logcentral.com:5043))
INFO pipeline/output.go:105 Connection to backoff(async(tcp://logstash.logcentral.com:5043)) established

and in the logstash log

[2018-12-04T13:07:05,788][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5043, remote: <public-ip>:60638] Handling exception: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER
[2018-12-04T13:07:05,789][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER

I've tried with and without the tls: certificate_authorities:

I'd have thought if they were public then this wouldn't be needed.

Andrew_Griffiths · December 4, 2018, 3:42pm

Solved. Simply by changing winlogbeats.yml

output.logstash:
hosts: ["logstash.log-central.com:5043"]
index: winlogbeat
bulk_max_size: 1024
ssl.enabled: true
tls:
certificate_authorities: ["C:/Program Files/winlogbeats/logcentral_com.cer"]

system · January 1, 2019, 3:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.