Trying to secure Logstash

So im trying to secure the communication to logstash in my elk stack. I have a certificate that is working for kibana so i was going to test and see if it would work with logstash. Kibana and Logstash are on the same server.

     beats {
     port => 5044
     host => "servername.company.com"
     ssl => true
     ssl_certificate => "/etc/logstash/conf.d/kibana-server/kibana-server.crt"
     ssl_key => "/etc/logstash/conf.d/kibana-server/kibana-server.key"
    }
    }

If i remove the ssl part logstash opens up 5044 like it should but when i add it back i get the following in the log file

    Oct 09 11:04:54  logstash[242496]: [2020-10-09T11:04:54,421][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.87}
    Oct 09 11:04:54  logstash[242496]: [2020-10-09T11:04:54,457][INFO ][logstash.inputs.beats    ][main] Beats inputs: Starting input listener {:address=>"servername.company.com:5044"}
    Oct 09 11:04:55  logstash[242496]: [2020-10-09T11:04:55,490][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
    Oct 09 11:04:55  logstash[242496]: [2020-10-09T11:04:55,761][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Need to get this corrected so i can put it into production. Thank you for your help.

Enable log.level debug and you will likely get an additional message that tells you what the problem is.

Looks like it does not like the key file but its the same cert and key file pair that I used for Kibana and kibana works. Im using Microsoft as the CA so do i need to do something special when creating the Cert or the CSR?

`Oct 09 13:09:16 nbhh-elk logstash[265609]: [2020-10-09T13:09:16,298][DEBUG][logstash.javapipeline    ][main] Pipeline terminated by worker error {:pipeline_id=>"main", :exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/conf.d/kibana-server/kibana-server.key, :backtrace=>["io.netty.handler.ssl.SslContextBuilder.keyManager(io/netty/handler/ssl/SslConte>`

You might need to convert the .key to pkcs8

Elastic have a tutorial on how to do so:

Hope this could help you!

I would also check to make sure the path specified is correct and check the permissions of the .key file. The logstash service account may not have read permissions if you copied the file directly from kibana's config folder.

According to this it should at least be able to read it right?

-rw-r--r-- 1 root root 1675 Oct 9 10:46 kibana-server.key

Do I need to do anything special when creating the CSR or certificate itself?

Changing the format of the key did the trick.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.