TLS not being used between Winlogbeat and Logstash - No errors

gamaier · September 15, 2016, 4:06pm

So I'm wondering if anyone has run into this issue before.
I've created a self signed cert on my elastic/logstash box and deployed this to a dev box as well. After thinking this was working since I get no errors regarding the certificates I went to watch the traffic with wireshark to confirm and it just shows TCP traffic and no TLS traffic between the two machines.

My configuration is fairly basic:
Beats Input:
input {
beats {
port => 5045
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

Winlogbeat output:

output:
logstash:

hosts: ["elastic01.***[omitted]****.com:5045"]
tls:
  certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

If anyone has any thoughts I'd be very curious. I don't even see an SSL handshake take place or errors anywhere in any log.

Thank you!

steffens · September 16, 2016, 12:58pm

logstash requires you to use SSL, otherwise it would close the connection on first send attempt.

Have you tried to decode the packets as TLS in wireshark? Then you might see the handshake. By default wireshark will display TCP, because TLS/SSL runs on top of TCP.

system · October 7, 2016, 12:59pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.