Upgraded Logstash from 1.5.5 to 2.2.0 > SSL heck

Don_Pich · February 17, 2016, 8:45pm

I have successfully upgraded my ES cluster to the latest/greatest and that worked great. My linux systems are rocking using the exact same SSL settings. However, my nxlog windows boxes are not being my friend.

I keep seeing these errors:
{:timestamp=>"2016-02-17T14:40:12.193000-0600", :message=>"SSL Error", :exception=>#<OpenSSL::SSL::SSLError: null cert chain>, :backtrace=>["org/jruby/ext/openssl/SSLSocket.java:272:inaccept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/jruby-openssl-0.9.13-java/lib/jopenssl19/openssl/ssl-internal.rb:106:in accept'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.2/lib/logstash/inputs/tcp.rb:112:inrun_server'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-input-tcp-3.0.2/lib/logstash/inputs/tcp.rb:84:in run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.1-java/lib/logstash/pipeline.rb:331:ininputworker'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.2.1-java/lib/logstash/pipeline.rb:325:in start_input'"], :level=>:error}

It is driving me insane. The cert is exactly the same cert that I am using on my linux systems and that has no problem communicating. Windows systems are getting SSL errors. I see the tcptraffic, but it's refusing the SSL connection.

logstash config
`input {
tcp {
ssl_cert => "/opt/logstash/ssl/certs/elk1.crt" # new cert needed for latest v of lumberjack-pusher
ssl_key => "/opt/logstash/ssl/private/elk1.key"
ssl_enable => true
type => "windowsEventLog"
host => "192.168.1.72"
port => 5051
codec => "line"
add_field=>{"logType"=>"windowsEventLog"}
}
}

filter {
if [type] == "windowsEventLog" {
json{ source => "message" } # set our source to the entire message as its JSON
mutate {
add_field => ["receivedAt","%{@timestamp}"]
}
if [SourceModuleName] == "eventlog" { # use the date/time of the entry and not physical time so viewing acts as expected
date {
match => ["EventTime","YYYY-MM-dd HH:mm:ss"]
}
mutate {
replace => [ "message", "%{Message}" ]
}
mutate {
remove_field => [ "Message" ]
}
}
}
}

output {
if [type] == "windowsEventLog" {
elasticsearch {
hosts => ["elk2", "elk3", "elk4"]
index => "logstash-windows-events-%{+YYYY.MM.dd}"
}
}
}`

nxlog config
`define ROOT C:\Program Files (x86)\nxlog

Moduledir %ROOT%\modules
CacheDir %ROOT%\data
Pidfile %ROOT%\data\nxlog.pid
SpoolDir %ROOT%\data
LogFile %ROOT%\data\nxlog.log

Module xm_json Module im_msvistalog ReadFromLast TRUE Exec $EventReceivedTime = integer($EventReceivedTime) / 1000000; to_json();

Query

*

Module om_ssl CertFile %ROOT%\cert\elk1.crt RequireCert TRUE AllowUntrusted TRUE Module tcp Host elk1 Port 5051

<Route 1>
Path eventlog => out

`

Don_Pich · February 17, 2016, 8:58pm

WAY confused.

How would this be fixed by putting in this line in the TCP input?

ssl_verify => false

warkolm · February 18, 2016, 2:36am

It means we don't check that the SSL cert name matches the hostname(s).

Don_Pich · February 19, 2016, 4:23pm

That is what it was. I simply deployed a new cert on some of the boxes and it worked. I will just need to run around and do the rest.

Thanks Warkolm!