Trying to secure Logstash

thatch56 · October 9, 2020, 5:08pm

So im trying to secure the communication to logstash in my elk stack. I have a certificate that is working for kibana so i was going to test and see if it would work with logstash. Kibana and Logstash are on the same server.

     beats {
     port => 5044
     host => "servername.company.com"
     ssl => true
     ssl_certificate => "/etc/logstash/conf.d/kibana-server/kibana-server.crt"
     ssl_key => "/etc/logstash/conf.d/kibana-server/kibana-server.key"
    }
    }

If i remove the ssl part logstash opens up 5044 like it should but when i add it back i get the following in the log file

    Oct 09 11:04:54  logstash[242496]: [2020-10-09T11:04:54,421][INFO ][logstash.javapipeline    ][main] Pipeline Java execution initialization time {"seconds"=>0.87}
    Oct 09 11:04:54  logstash[242496]: [2020-10-09T11:04:54,457][INFO ][logstash.inputs.beats    ][main] Beats inputs: Starting input listener {:address=>"servername.company.com:5044"}
    Oct 09 11:04:55  logstash[242496]: [2020-10-09T11:04:55,490][ERROR][logstash.agent           ] Failed to execute action {:id=>:main, :action_type=>LogStash::ConvergeResult::FailedAction, :message=>"Could not execute action: PipelineAction::Create<main>, action_result: false", :backtrace=>nil}
    Oct 09 11:04:55  logstash[242496]: [2020-10-09T11:04:55,761][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}

Need to get this corrected so i can put it into production. Thank you for your help.

Badger · October 9, 2020, 5:49pm

Enable log.level debug and you will likely get an additional message that tells you what the problem is.

thatch56 · October 9, 2020, 7:12pm

Looks like it does not like the key file but its the same cert and key file pair that I used for Kibana and kibana works. Im using Microsoft as the CA so do i need to do something special when creating the Cert or the CSR?

`Oct 09 13:09:16 nbhh-elk logstash[265609]: [2020-10-09T13:09:16,298][DEBUG][logstash.javapipeline    ][main] Pipeline terminated by worker error {:pipeline_id=>"main", :exception=>java.lang.IllegalArgumentException: File does not contain valid private key: /etc/logstash/conf.d/kibana-server/kibana-server.key, :backtrace=>["io.netty.handler.ssl.SslContextBuilder.keyManager(io/netty/handler/ssl/SslConte>`

kavierkoo · October 9, 2020, 7:27pm

You might need to convert the .key to pkcs8

Elastic have a tutorial on how to do so:

Hope this could help you!

amorrow · October 9, 2020, 8:12pm

I would also check to make sure the path specified is correct and check the permissions of the .key file. The logstash service account may not have read permissions if you copied the file directly from kibana's config folder.

thatch56 · October 9, 2020, 9:11pm

According to this it should at least be able to read it right?

-rw-r--r-- 1 root root 1675 Oct 9 10:46 kibana-server.key

thatch56 · October 9, 2020, 9:38pm

Do I need to do anything special when creating the CSR or certificate itself?

thatch56 · October 12, 2020, 5:27pm

Changing the format of the key did the trick.

system · November 9, 2020, 5:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash + SSL Logstash	5	381	October 27, 2020
Can't get encryption to Logstash working Logstash	1	395	August 26, 2020
Beats input ssl problem Logstash	1	1061	November 19, 2019
Problems securing communication between filebeat and logstash Logstash	1	659	January 12, 2018
Logstash crashing, user error with pipeline and SSL certs configuration Logstash	3	324	February 8, 2021

Trying to secure Logstash

Related Topics