SSL to logstash doesnt seem to work

Zach_Lewis · December 28, 2017, 3:05pm

I tired to setup winlogbeat to forward some windows events off to logstash but it seems there might be a bug in winlogbeat. If I dont uncomment any SSL settings for logstash in the yml config then it seems to 'work'. I know my cert/key works for logstash because I'm using the same settings for a filebeat service and it works fine. The system running winlogbeat is a win10 64bit and the winlogbeat is 6.1.1 and my elk stack is also 6.1.1. When I uncomment the SSL settings I get the following:

PS C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64> .\winlogbeat.exe -c .\winlogbeat.yml -e -v
winlogbeat2017/12/28 14:59:41.038521 beat.go:635: CRIT Exiting: error loading config file: yaml: line 109: did not find expected hexdecimal number
Exiting: error loading config file: yaml: line 109: did not find expected hexdecimal number

When I comment it:
PS C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64> .\winlogbeat.exe -c .\winlogbeat.yml -e -v
2017/12/28 15:00:17.333281 metrics.go:23: INFO Metrics logging every 30s
2017/12/28 15:00:17.333281 beat.go:436: INFO Home path: [C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64] Config path: [C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-wind
ows-x86_64] Data path: [C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64\data] Logs path: [C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64\logs]
2017/12/28 15:00:17.334230 beat.go:443: INFO Beat UUID: 55534e4a-594b-4708-a97b-d1eac37bec0c
2017/12/28 15:00:17.334230 beat.go:203: INFO Setup Beat: winlogbeat; Version: 6.1.1
2017/12/28 15:00:17.336164 module.go:76: INFO Beat name: snail
2017/12/28 15:00:17.336164 winlogbeat.go:56: INFO State will be read from and persisted to C:\Users\zach\Downloads\winlogbeat-6.1.1-windows-x86_64\winlogbeat-6.1.1-windows-x86_64\data.winlogbeat.yml
2017/12/28 15:00:17.336164 beat.go:276: INFO winlogbeat start running.
2017/12/28 15:00:18.493723 async.go:235: ERR Failed to publish events caused by: read tcp 192.168.1.3:3035->192.168.1.243:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017/12/28 15:00:18.561123 async.go:235: ERR Failed to publish events caused by: client is not connected
2017/12/28 15:00:19.562387 output.go:92: ERR Failed to publish events: client is not connected
2017/12/28 15:00:19.629791 async.go:235: ERR Failed to publish events caused by: read tcp 192.168.1.3:3036->192.168.1.243:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2017/12/28 15:00:19.681611 async.go:235: ERR Failed to publish events caused by: client is not connected
2017/12/28 15:00:19.965823 winlogbeat.go:152: INFO Stopping Winlogbeat
2017/12/28 15:00:19.979549 eventlogger.go:92: INFO EventLog[Security] Stop processing.

The settings are:
#----------------------------- Logstash output --------------------------------
output.logstash:
hosts: ["192.168.1.243:5044"]

ssl.certificate: "C:\Users\zach\Desktop\new.cert.cert"

ssl.key: "C:\Users\zach\Desktop\new.cert.key"

Any ideas why I'm getting that error?

JRSol · January 2, 2018, 2:21pm

I remember having this and I think it was the template section.
If you have this section try commenting it out.

The only thing I have in my config is this:

winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h
  - name: Security
  - name: System

output.logstash:
  # The Logstash hosts
  hosts: ["nice.dns.name:5044"]
  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verification
  ssl.certificate_authorities: ["C:\\Users\\Admin\\ssl\\cert"]
  ssl.verification_mode: none

The only other problems I had were related to the way windows services work.

andrewkroh · January 2, 2018, 3:47pm

If you comment out all of the SSL options then SSL will be disabled on the Winlogbeat side. If it works after doing that then it would that mean that SSL is not being used on the server.

If you can provide the full config file via pastebin.com I might be able to give some context for this error.

You aren't protected against MITM if you disable verification. It's good for troubleshooting, but you will want to fix up the cert issues afterwards so you can re-enable verification.

JRSol · January 2, 2018, 4:09pm

You aren't protected against MITM if you disable verification. It's good for troubleshooting, but you will want to fix up the cert issues afterwards so you can re-enable verification.

yes, thank you. It's a test client and we don't have a PKI yet, so, intended.

I'm still pretty sure it's the template thing. I had the same cryptic error as Zach.

Zach_Lewis · January 3, 2018, 9:09pm

Thanks guys! It looks like this was a newbie mistake. I noticed JRSol was using \ to escape the \ ...I didnt realize that was needed. It looks like that was all I needed to get ssl/tls working.

andrewkroh · January 3, 2018, 10:40pm

Regarding escaping - If you use single quotes around the paths you don't need to escape (that's a YAML thing). Or you can use / instead of \ for Windows paths and Beats will fix them for you.

system · January 31, 2018, 10:40pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.