TLS not being used between Winlogbeat and Logstash - No errors

gamaier · September 15, 2016, 4:06pm

So I'm wondering if anyone has run into this issue before.
I've created a self signed cert on my elastic/logstash box and deployed this to a dev box as well. After thinking this was working since I get no errors regarding the certificates I went to watch the traffic with wireshark to confirm and it just shows TCP traffic and no TLS traffic between the two machines.

My configuration is fairly basic:
Beats Input:
input {
beats {
port => 5045
ssl => true
ssl_certificate => "/etc/pki/tls/certs/logstash-forwarder.crt"
ssl_key => "/etc/pki/tls/private/logstash-forwarder.key"
}
}

Winlogbeat output:

output:
logstash:

hosts: ["elastic01.***[omitted]****.com:5045"]
tls:
  certificate_authorities: ["C:/ProgramData/winlogbeat/logstash-forwarder.crt"]

If anyone has any thoughts I'd be very curious. I don't even see an SSL handshake take place or errors anywhere in any log.

Thank you!

steffens · September 16, 2016, 12:58pm

logstash requires you to use SSL, otherwise it would close the connection on first send attempt.

Have you tried to decode the packets as TLS in wireshark? Then you might see the handshake. By default wireshark will display TCP, because TLS/SSL runs on top of TCP.

system · October 7, 2016, 12:59pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat TLS Connection to Logstash Beats winlogbeat	14	8992	April 12, 2016
SSL doesn't work when sending data from Winlogbeat to Logstash Logstash	1	278	March 10, 2019
Winlogbeat to Logstash over SSL Logstash	12	268	February 13, 2023
Logstash / Beats Encryption Error Logstash	1	175	September 1, 2023
Using ssl between filebeat client and logstash server Logstash	1	716	July 6, 2017

TLS not being used between Winlogbeat and Logstash - No errors

Related topics