I'm facing to a serious problem. I get this following message:
filebeat[29206]: 2022-03-24T10:30:37.927+0100 ERROR [publisher_pipeline_output] pipeline/output.go:154 Failed to connect to backoff(async(tcp://logstash.domain.com:5044)): remote error: tls: bad certificate
This is my filebeat output:
# ------------------------------ Logstash Output -------------------------------
output.logstash:
# The Logstash hosts
hosts: ["logstash.domain.com:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/etc/filebeat/certs/ca.crt"]
#ssl.key: "/etc/logstash/certs/ca.key"
# Certificate for SSL client authentication
#ssl.certificate: "/etc/pki/client/cert.pem"
ssl.verification_mode: none
# Client Certificate Key
#ssl.key: "/etc/pki/client/cert.key"
This is my logstash output:
input {
beats {
port => "5044"
ssl => true
ssl_key => '/etc/logstash/certs/logstash.pkcs8.key'
ssl_certificate => '/etc/logstash/certs/logstash.crt'
ssl_certificate_authorities => '/etc/logstash/certs/ca.crt'
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
}
output {
elasticsearch {
hosts => [ "https://node2.domain.com:9200" ]
index => "logstash-beats"
cacert => '/etc/logstash/certs/ca.crt'
user => "logstash"
password => "password"
}
}
If I test my pipeline everything is OK.
This is super strange because I have others instances of filebeat in differents servers and it's working and they are using all the same certificate. The only difference between this filebeat and others, others communicates with Elasticsearch directly.
If you are not going to use certificates by commenting them out, then you shouldn't have ssl set to true for the input. Either both sides are using certificates or none at all. What happens when you set ssl to false?
I would like to use ssl on my stack so between Filebeat/Logstash/Elasticsearch/Kibana. But I don't understand why all the Filebeats work via Elasticsearch and not this one with my logstash. They all use the same certificate...
So indeed the issue is with the certificates.... your output.logstash certificate and key shouldn't be commented out, you need the pass the certificate from filebeat to the logstash node.
Your logstash node is expecting the same certificate that has been passed so it can validate it. The verification mode should be certiifcate and not set to none
So which certificates should I put in ssl.key and ssl.certificate? On the ssl.certificate_authorities I know I have to put the same as logstash but for the other entries I don't know.
Yes, the certificates you need depend on your set-up, are you using self-signed certificates?
You should have all the certificates available to you already if you followed the securing your cluster documentation. How filebeat and logstash communicate isn't dissimilar to say Kibana to Elasticsearch.. if these are working overs SSL / TLS, then the same is for your issue.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.