●[TLS] Question: Secure communication between Winlogbeat/ElasticSearch causes an error

YUUTA.INOUE-JPN · January 12, 2024, 3:11am

I am configuring "Elastic Stack" using a self-signed certificate.
Secure communication between Elasticsearch worked fine, but
Secure communication between Winlogbeat/Elasticsearch will result in an error.

Please teach me the "series of tasks" as specifically as possible, such as the certificate-related files and settings that should be kept on the Windows side.

▼ERROR Details

ERROR   pipeline/output.go:100  Failed to connect to backoff(elasticsearch(https://xxx.xxx.xxx.xxx:9200)): Get https://xxx.xxx.xxx.xxx:9200: x509: certificate signed by unknown authority

▼Setting parameters for “output.elasticsearch” in “winlogbeat.yml” (excerpt)


output.elasticsearch:
  hosts: ["xxx.xxx.xxx.xxx:9200", "xxx.xxx.xxx.xxx:9200", "xxx.xxx.xxx.xxx:9200"]
  protocol: "https"
  api_key: "id:api_key"

▼“winlogbeat.exe test config” execution command on Windows

.\winlogbeat.exe test config -c .\winlogbeat.yml -e

▼Execution results of "winlogbeat.exe test config" command on Windows

Config OK

▼“winlogbeat.exe” execution command on Windows

.\winlogbeat.exe -c .\winlogbeat.yml -e

▼Execution results of the “winlogbeat.exe” command on Windows

ERROR   pipeline/output.go:100  Failed to connect to backoff(elasticsearch(https://xxx.xxx.xxx.xxx:9200)): Get https://xxx.xxx.xxx.xxx:9200: x509: certificate signed by unknown authority
INFO    pipeline/output.go:93   Attempting to reconnect to backoff(elasticsearch(https://xxx.xxx.xxx.xxx:9200)) with 3 reconnect attempt(s)

My environment is as below

The server OS uses Ubuntu
Elasticsearch8.11 is configured redundantly with 3 units.
Winlogbeat is using 8.11

Please help me
regards

Thank you

stephenb · January 12, 2024, 3:20am

Hi @YUUTA.INOUE-JPN

First try

output.elasticsearch:
  hosts: ["xxx.xxx.xxx.xxx:9200", "xxx.xxx.xxx.xxx:9200", "xxx.xxx.xxx.xxx:9200"]
  protocol: "https"
  api_key: "id:api_key"
  ssl.verification_mode: "none"

Set that and test output

.\winlogbeat.exe test output -c .\winlogbeat.yml -e

If that works then you will need to get the CA or trusted fingerprint from elasticsearch and set that l

Take a look at

andrewkroh · January 12, 2024, 3:33am

Yeah, I would agree with Stephen. It looks like you need to tell Winlogbeat which CAs to trust with output.elasticsearch.ssl.certificate_authorities.

And then because you are using IP addresses in the configuration to Winlogbeat, those servers' certificates need to contain an SAN for their IP.

system · February 9, 2024, 5:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.