The System cannot find the path error


(Marcos Felix) #1

I will be as descriptive as I can:
I have been fiddling with ELK for 2/3 days now, just got it to work. I have it installed in one of our servers in a linux OS and use VMware console to connect to it. I can access Kibana from the Hosts web. I am now attempting to send the production logs from event viewers for Kibana to analyse. I then stumped across a tutorial using Winlogbeat (https://silentbreaksecurity.com/windows-events-sysmon-elk/). It also asks me to install Sysmon before starting on Winlogbeat.
I did everything it required me and as soon as I went to run the script to start winlogbeat, I get this error:

Start-Service : Service 'winlogbeat (winlogbeat)' cannot be started due to the following error: Cannot start service
winlogbeat on computer '.'.
At line:1 char:1
+ Start-Service -Name "winlogbeat"
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.ServiceProcess.ServiceController:ServiceController) [Start-Service],
   ServiceCommandException
    + FullyQualifiedErrorId: CouldNotStartService,Microsoft.PowerShell.Commands.StartServiceCommand

I understand this error, it might be perhaps the certificate is in the linux directory and not in windows, but how could I make this possibly work? do I have to copy the cert over from the Linux OS to the Host windows OS?

BTW: when I run a configtest I get this:

Flag --configtest has been deprecated, configtest flag has been deprecated, use test config subcommand
2018-07-02T14:17:39.858+0100 INFO instance/beat.go:492 Home path: [C:\Software\winlogbeat] Config path: [C:\Software\winlogbeat] Data path: [C:\Software\winlogbeat\data] Logs path: [C:\Software\winlogbeat\logs]
2018-07-02T14:17:39.862+0100 INFO instance/beat.go:499 Beat UUID: ca9db19c-c000-42d0-ab0d-034720bdf2fc
2018-07-02T14:17:39.869+0100 INFO [beat] instance/beat.go:716 Beat info {"system_info": {"beat": {"path": {"config": "C:\Software\winlogbeat", "data": "C:\Software\winlogbeat\data", "home": "C:\Software\winlogbeat", "logs": "C:\Software\winlogbeat\logs"}, "type": "winlogbeat", "uuid": "ca9db19c-c000-42d0-ab0d-034720bdf2fc"}}}
2018-07-02T14:17:39.873+0100 INFO [beat] instance/beat.go:725 Build info {"system_info": {"build": {"commit": "a04cb664d5fbd4b1aab485d1766f3979c138fd38", "libbeat": "6.3.0", "time": "2018-06-11T22:37:35.000Z", "version": "6.3.0"}}}
2018-07-02T14:17:39.873+0100 INFO [beat] instance/beat.go:728 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.9.4"}}}
2018-07-02T14:17:39.907+0100 INFO instance/beat.go:225 Setup Beat: winlogbeat; Version: 6.3.0
2018-07-02T14:17:39.908+0100 ERROR outputs/tls.go:268 Failed reading CA certificate: open /etc/elk-certs/elk-ssl.cert: The system cannot find the path specified.
2018-07-02T14:17:39.911+0100 INFO instance/beat.go:275 winlogbeat stopped.
2018-07-02T14:17:39.922+0100 ERROR instance/beat.go:691 Exiting: error initializing publisher: 1 error: open /etc/elk-certs/elk-ssl.cert: The system cannot find the path specified. reading /etc/elk-certs/elk-ssl.cert
Exiting: error initializing publisher: 1 error: open /etc/elk-certs/elk-ssl.cert: The system cannot find the path specified. reading /etc/elk-certs/elk-ssl.cert

Also here is the log file:

> 2018-07-02T14:07:54.255+0100	INFO	instance/beat.go:492	Home path: [C:\Software\winlogbeat] Config path: [C:\Software\winlogbeat] Data path: [C:\Software\winlogbeat\data] Logs path: [C:\Software\winlogbeat\logs]
> 2018-07-02T14:07:54.268+0100	INFO	instance/beat.go:499	Beat UUID: ca9db19c-c000-42d0-ab0d-034720bdf2fc
> 2018-07-02T14:07:54.268+0100	INFO	[beat]	instance/beat.go:716	Beat info	{"system_info": {"beat": {"path": {"config": "C:\\Software\\winlogbeat", "data": "C:\\Software\\winlogbeat\\data", "home": "C:\\Software\\winlogbeat", "logs": "C:\\Software\\winlogbeat\\logs"}, "type": "winlogbeat", "uuid": "ca9db19c-c000-42d0-ab0d-034720bdf2fc"}}}
> 2018-07-02T14:07:54.269+0100	INFO	[beat]	instance/beat.go:725	Build info	{"system_info": {"build": {"commit": "a04cb664d5fbd4b1aab485d1766f3979c138fd38", "libbeat": "6.3.0", "time": "2018-06-11T22:37:35.000Z", "version": "6.3.0"}}}
> 2018-07-02T14:07:54.269+0100	INFO	[beat]	instance/beat.go:728	Go runtime info	{"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":4,"version":"go1.9.4"}}}
> 2018-07-02T14:07:54.293+0100	INFO	instance/beat.go:225	Setup Beat: winlogbeat; Version: 6.3.0
> 2018-07-02T14:07:54.294+0100	ERROR	outputs/tls.go:268	Failed reading CA certificate: open /etc/elk-certs/elk-ssl.cert: The system cannot find the path specified.
> 2018-07-02T14:07:54.294+0100	INFO	instance/beat.go:275	winlogbeat stopped.
> 2018-07-02T14:07:54.298+0100	ERROR	instance/beat.go:691	Exiting: error initializing publisher: 1 error: open /etc/elk-certs/elk-ssl.cert: The system cannot find the path specified. reading /etc/elk-certs/elk-ssl.cert

(Andrew Kroh) #2

Looks like you have configured certificate_authorities with a unix path. Also, when dealing with Windows paths make sure you use single quotes otherwise you need to escape the backslashes (e.g. C:\\Windows).

some_option: "C:\\Windows" #Double-quotes will requiring escaping.
some_option: 'C:\Windows' # Single-quotes remove the need to escape slashes in YAML.
some_option: "C:/Windows" # The path separator is automatically changed by the Beat.


(Marcos Felix) #3

I gave a Linux path because that is where the cert is; will I have to copy the cert to the windows OS and then rename the path?


(Andrew Kroh) #4

If the output is accepting connections over TLS and is using a self-signed certificate then you must tell the clients what CAs should be trusted. In order to do this you need to copy the CA certificate to each client machine (Winlogbeat) and set the corresponding config option depending on the output type (ES or LS).


(Marcos Felix) #5

I have tried the SSL one; I cannot verify the certificate. I have tried many things that I found online and in the documentation. None helped. This is what I get:
I run this: curl -v --cacert ca-certificates.crt https://IP:5044

* Rebuilt URL to: https://IP:5044/
*   Trying IP...
* TCP_NODELAY set
* connect to IP port 5044 failed: Connection timed out
* Failed to connect to IP port 5044: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to IP port 5044: Connection timed out

IP is the IP from the vmware.
Any ideas?

Also random question: Should the NGINX certs be the same as the others (ELK, filebeat,) or it doesn't matter here?


(Marcos Felix) #6

Hello ? I am trying to make it listen to the IP and PORT, could that be the issue?
@andrewkroh


(Adrian Serrano) #7
curl: (7) Failed to connect to IP port 5044: Connection timed out

This is not a TLS issue. It cannot connect to IP:5044.

Note that 5044 is the Logstash port, so, are you running logstash inside VMWare? If you're connecting to Elasticsearch directly then use the 9200 port.


(Marcos Felix) #8

@adrisr Thanks for the reply. Yes, I am running logstash inside a VMWare server. Logstash nginx conf file is running on port 5044 and so is the other beats file. All ports are opened, I have no idea what could be causing this. I already changed all the CA on ELK and beats related file to be the same.


(Adrian Serrano) #9

It's not a CA problem, it's a networking issue. Messing with the TLS options won't help.

Either:

  • Logstash is not running inside VMWare
  • Logstash is not bound to 0.0.0.0:5044 (check with netstat -nlp)
  • The 5044 port is not accesible outside of VMWare. I'm not familiar with VMware so I can't help you with this, but look for port binding. Something like this.
  • The IP is wrong.

(Marcos Felix) #10

When I did netstat it returned ::::5044 @adrisr that's the only thing I can think of.
Now when I netstat, it doesnt even return 5044
update: Didn't do anything, but if I do(netstat -an|grep LIST|grep 5044) it is now returning 0.0.0.0:5044 - why is this the case?


(Marcos Felix) #11

Still having issue, I checked Iptables and it is added, I did nmap and it seems like the port is active but nothing is listening to it even though I set Logstash and Filebeat to port 5044. Any Clues?


(Marcos Felix) #12

After hours, some output:
Rebuilt URL to: https://IP:5044/

Trying IP...
TCP_NODELAY set
Connected to IP (IP) port 5044 (#0)
ALPN, offering h2
ALPN, offering http/1.1
successfully set certificate verify locations:
CAfile: /etc/ssl/certs/ca-certificates.crt CApath: /etc/ssl/certs
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (OUT), TLS alert, Server hello (2):
SSL certificate problem: self signed certificate
stopped the pause stream!
Closing connection 0
curl: (60) SSL certificate problem: self signed certificate


(Adrian Serrano) #13

Okay, now the connection problem is fixed.

Now curl is not accepting the certificate presented by logstash because it's self-signed.

For a self-signed certificate to be accepted, it must be this certificate passed to the --cacert option.

You can see the certificate presented by logstash with

openssl s_client -showcerts -connect IP:5044

(Marcos Felix) #14

@adrisr not sure what you mean, could you clarify?
that command gives a long list, I dont know what I am looking for here.

I have tried by input --insecure and I get this error:

* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

(Marcos Felix) #15

Guess it is a unprecedented error as no one knows how to fix it


(system) #16

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.