Using ssl between filebeat client and logstash server

Elastic Stack Logstash
1

Hi All

i created the required certificate and the ssl communication between filebeat client and logstah server .

Then i ran the wireshark on the logstash server to check whether that communication is encrypted between . but i couldn't find any encrypted information ( saying SSL or TLS in packet) . in wireshak capture . IS it a normal behavior . please advice

filebeat

filebeat:
prospectors:
-
paths:
- /var/log/nginx/access.log

  document_type: nginx-access


  input_type: log

registry_file: /var/lib/filebeat/registry

output:

logstash:
hosts: ["alogstash.ihk.com:5044"]

index: private.nginx.ihk.org

tls:
  certificate_authorities: ["/etc/filebeat/ssl/rootCA.crt"]

  certificate: "/etc/filebeat/ssl/host.crt"

  certificate_key: "/etc/filebeat/ssl/host.key"

shipper:

logging:

files:
rotateeverybytes: 10485760

Logstash Configh file

input {

stdin { }

beats {
port => 5044
ssl => true
ssl_certificate => "/etc/logstash/ssl/host.crt"
ssl_key => "/etc/logstash/ssl/host.key"
}

filter {

if [type] == "nginx-access" {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}

output {

stdout { }

if [type] == "nginx-access" {
elasticsearch {
hosts => ["localhost:9200"]
index => "private.nginx.ihk.org-%{+YYYY.MM.dd}"
}
}

}

}

Wireshark packet

Transmission Control Protocol, Src Port: 44501 (44501), Dst Port: lxi-evntsvc (5044), Seq: 1642, Ack: 1872, Len: 362
Source port: 44501 (44501)
Destination port: lxi-evntsvc (5044)
[Stream index: 4]
Sequence number: 1642 (relative sequence number)
[Next sequence number: 2004 (relative sequence number)]
Acknowledgment number: 1872 (relative ack number)
Header length: 32 bytes
Flags: 0x018 (PSH, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 1... = Push: Set
.... .... .0.. = Reset: Not set
.... .... ..0. = Syn: Not set
.... .... ...0 = Fin: Not set
Window size value: 67
[Calculated window size: 8576]
[Window size scaling factor: 128]
Checksum: 0x041d [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Options: (12 bytes), No-Operation (NOP), No-Operation (NOP), Timestamps
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
Timestamps: TSval 2117349381, TSecr 1775335
Kind: Timestamp (8)
Length: 10
Timestamp value: 2117349381
Timestamp echo reply: 1775335
[SEQ/ACK analysis]
[Bytes in flight: 362]
Data (362 bytes)

0000 17 03 03 00 30 b3 bf 7c 12 94 16 46 61 b1 18 16 ....0..|...Fa...
0010 dd 4f fb ff 51 26 fb a4 b9 e3 c3 40 6f 38 b8 54 .O..Q&.....@o8.T
0020 28 51 98 79 99 be b0 63 ea d2 1d 9c 87 6d 93 90 (Q.y...c.....m..
0030 26 7e 67 35 67 17 03 03 01 30 fd ca 7c e4 92 e6 &~g5g....0..|...
0040 1b e5 65 7d 58 a6 8a a9 77 3e eb f1 4d 0a fd f4 ..e}X...w>..M...
0050 12 32 c8 37 28 0f 5b 18 75 6f aa eb d3 ed 36 7a .2.7(.[.uo....6z
0060 6a fd 71 e0 e2 39 ac 11 f1 a1 e3 d4 ca aa 42 5e j.q..9........B^
0070 54 86 d4 bd 13 4f 5c db 7a 64 fc e7 71 11 7a 70 T....O.zd..q.zp
0080 eb d9 e4 1a fc 87 cd e9 2a f1 66 b5 61 e0 80 93 ........*.f.a...
0090 76 c8 03 4e 23 29 76 5e 35 24 1a 33 30 dd 3e 30 v..N#)v^5$.30.>0
00a0 9c 45 a4 a2 33 b0 a6 57 2e bf 88 66 79 7e a5 ed .E..3..W...fy~..
00b0 1d 73 c2 6f f9 c6 c7 5d 5d bf 08 28 54 84 0d f1 .s.o...]]..(T...
00c0 90 a3 13 bf 89 2e 44 28 c2 4b a8 35 d2 6b 48 d3 ......D(.K.5.kH.
00d0 90 1f 43 4d fe ee 25 c0 c5 62 12 d0 e2 6e 58 20 ..CM..%..b...nX
00e0 b2 87 04 ce 64 c1 f9 1b 57 c8 6e 44 2c b9 7f 7a ....d...W.nD,..z
00f0 da c1 00 94 9b 0d b3 76 d3 a9 f5 3b f0 1e 1c db .......v...;....
0100 e3 45 40 01 ab 12 fe 01 46 9c a0 4b 7f 29 3a 87 .E@.....F..K.):.
0110 09 4c 36 c6 77 59 32 48 d3 25 f3 08 2c f0 73 8f .L6.wY2H.%..,.s.
0120 ed 66 6b f8 08 09 68 9f db 28 e0 f8 a8 61 7c 8e .fk...h..(...a|.
0130 01 ce 19 38 df 25 a2 44 c2 c9 fd fb ec c8 be 69 ...8.%.D.......i
0140 f3 ed c9 0f c7 74 f7 ff 7f 7b 00 6b 25 04 a5 6f .....t...{.k%..o
0150 85 38 88 18 f0 b6 4e 0e b5 1c 43 78 c7 73 60 1d .8....N...Cx.s`.
0160 be 3f 62 96 7c 28 78 8b ab ea .?b.|(x...
Data: 1703030030b3bf7c1294164661b11816dd4ffbff5126fba4...