Windows filebeat SSL to Logstash


#1

hi
i have a linux vm with theELK stack installed and a windows machine with the filebeat Agent running.
everything runs great but it uses an unsecure connection

no i wanted to secure the connection between those two machines
i already have a wildcard certificate from Thatwe for our domain.
My questions are

  • Can i use this wildcard certificate?
  • if yes, do i have to configure the certificate_authorities String inside the logstash config? and which file do i need?
  • how do i configure filebeat in windows to use SSL?

(Steffen Siering) #2

It's not clear to me how many certificates you have? You have a server certificate and/or client certificate?

Which filebeat/logstash version are you using. If possible, upgrade to 5.1.1 .

in logstash you will need to configure the path to the actual server certificate and private key file. In filebeat on windows you will have to configure output.logstash.ssl.certificate_authority to point to the signing certificate file.


#3

hi
i have installed the server last week with the latest stable version 5.1.1
so do i have to create a new local certificate? i thout i could use an existing wildcard domain certificate which i'm using for some other webservers as well


(Steffen Siering) #4

version 5.1.1 was released yesterday...

I haven't ever tested with a wildcard certificate, but I don't see why this shouldn't work. Have you tried to configure filebeat + logstash yet?


#5

ja i did.
the connection is rejected by the logstash server

heres my config

filebeat:
output.logstash:
  # The Logstash hosts
  hosts: ["elastic.domain.com:5043"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: 

  # Certificate for SSL client authentication
  ssl.certificate: "C:/Program Files/Filebeat/wildcard.domain.com.pem"

  # Client Certificate Key
  ssl.key: "C:/Program Files/Filebeat/wildcard.domain.com.key"

and the logstash config:

input {
 beats {
        host => "elastic.domain.com"
        port => "5043"
        ssl => true
        ssl_certificate => "/etc/ssl/wildcard.domain.com.crt"
        ssl_key => "/etc/ssl/wildcard.domain.com.key"
        ssl_verify_mode => "peer"
  }
}

Filebeat Error:
ERR Connecting error publishing events (retrying): dial tcp IP:5043: connectex: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte.


(Steffen Siering) #6

Your error message:

ERR Connecting error publishing events (retrying): dial tcp IP:5043: connectex: Es konnte keine Verbindung hergestellt werden, da der Zielcomputer die Verbindung verweigerte.

is on TCP level, not SSL/TLS level. It says dial tcp. TLS handshake requires a working TCP connection. Is logstash running? Is port blocked by firewall? Have you tried to use telnet?

Are you using windows? If so, on windows beats can not read OS certificate storage => you have to configure ssl.certificate_authorities.


#7

hi Steffens
yes the filebat is running on a windows machine.
i'm using a trustes certificate from Thatwe
this CA is implemented in every local window

what shall i configure here? -> ssl.certificate_authorities

where can i change the TCP level?


(Steffen Siering) #8

as go1.7 does not support windows system certificates yet, you will have to download and configure a valid PEM file from Thatwe (you can test the root certificate against logstash with openssl s_client ...).

What you mean by "change the TCP level" ? Is logstash running? Have you configured the correct port? Have you tried to ping the logstash endpoint? What about telnet? Any active firewalls blocking the port?

Also, are you really sure about your SSL setup? You really want to use the very same certificate file with very same private key on both endpoints? What's the impact of the private key potentially getting stolen (private key = secret sauce of async encryption)? Also ssl_verify_mode => "peer" does not fully enforce client certificate authentication. Chose none or force_peer.


(system) #9

This topic was automatically closed after 21 days. New replies are no longer allowed.