Winlog with SSL - Errors

NewmazN24 · September 20, 2019, 3:47pm

Hello folks,

I have configured Kibana, Elasticsearch with TLS/SSL. It works. When I am trying to do the same for my Winlogbeat, I can't make it work.

Command: .\winlogbeat.exe -c winlogbeat.yml -e -d "*"

Outpout

2019-09-20T11:41:11.650-0400 2019-09-20T11:41:11.651-0400 2019-09-20T11:41:11.655-0400 2019-09-20T11:41:11.684-0400 2019-09-20T11:41:11.691-0400 2019-09-20T11:41:14.687-0400 2019-09-20T11:41:14.690-0400 2019-09-20T11:41:14.691-0400 2019-09-20T11:41:14.692-0400 2019-09-20T11:41:14.693-0400 2019-09-20T11:41:14.693-0400 2019-09-20T11:41:14.694-0400 2019-09-20T11:41:14.695-0400 2019-09-20T11:41:14.730-0400 2019-09-20T11:41:14.736-0400 2019-09-20T11:41:14.737-0400 2019-09-20T11:41:14.737-0400 2019-09-20T11:41:14.737-0400 2019-09-20T11:41:14.738-0400 2019-09-20T11:41:14.739-0400 2019-09-20T11:41:14.739-0400 2019-09-20T11:41:14.739-0400 Exiting: error initializing INFO instance/beat.go:606 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
DEBUG [beat] instance/beat.go:658 Beat metadata path: C:\Program Files\Winlogbeat\data\meta.json
INFO instance/beat.go:614 Beat ID: be1adfbc-0d0c-4083-a559-a09083a2652c
DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:164 add_cloud_metadata: starting to fetch metadata, timeout=3s
DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:196 add_cloud_metadata: received disposition for qcloud after 5.9915ms. result=[provider:qcloud, error=failed requesting qcloud metadata: Get http://metadata.tencentyun.com/meta-data/instance-id: dial tcp: lookup metadata.tencentyun.com: no such host, metadata={}]
DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:203 add_cloud_metadata: timed-out waiting for all responses
DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:167 add_cloud_metadata: fetchMetadata ran for 3.004673s
INFO add_cloud_metadata/add_cloud_metadata.go:347 add_cloud_metadata: hosting provider type not detected.
DEBUG [processors] processors/processor.go:93 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata=null
DEBUG [seccomp] seccomp/seccomp.go:96 Syscall filtering is only supported on Linux
INFO [beat] instance/beat.go:902 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\Winlogbeat", "data": "C:\Program Files\Winlogbeat\data", "home": "C:\Program Files\Winlogbeat", "logs": "C:\Program Files\Winlogbeat\logs"}, "type": "winlogbeat", "uuid": "be1adfbc-0d0c-4083-a559-a09083a2652c"}}}
INFO [beat] instance/beat.go:911 Build info {"system_info": {"build": {"commit": "a4be71b90ce3e3b8213b616adfcd9e455513da45", "libbeat": "7.3.1", "time": "2019-08-19T19:37:03.000Z", "version": "7.3.1"}}}
INFO [beat] instance/beat.go:914 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":32,"version":"go1.12.4"}}}
INFO [beat] instance/beat.go:918 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-09-13T09:06:52.02-04:00","name":"VM01","ip":["fe80::e900:e078:b733:45fa/64","192.168.131.100/24","169.254.69.250/16","fe80::45ad:1d00:8e58:7dbe/64","10.45.0.214/24","fe80::f9ac:6bd4:4cd7:adb0/64","169.254.173.176/16","fe80::f4b1:fa67:c714:a534/64","192.168.131.1/24","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17763.437 (WinBuild.160101.0800)","mac":["a0:d3:c1:34:22:96","a0:d3:c1:34:22:97","00:50:56:c0:00:01","00:50:56:c0:00:08"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.437"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"a2ccc6a1-791b-4ac6-9ea9-2ac0e1a7715d"}}}
INFO [beat] instance/beat.go:947 Process info {"system_info": {"process": {"cwd": "C:\Program Files\Winlogbeat", "exe": "C:\Program Files\Winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 20116, "ppid": 5124, "start_time": "2019-09-20T11:41:11.583-0400"}}}
INFO instance/beat.go:292 Setup Beat: winlogbeat; Version: 7.3.1
DEBUG [beat] instance/beat.go:318 Initializing output plugins
INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'winlogbeat-7.3.1' as ILM is enabled.
ERROR tlscommon/tls.go:51 Failed reading certificate file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12: no pem file
ERROR tlscommon/tls.go:151 Failed reading CA certificate:
INFO instance/beat.go:385 winlogbeat stopped.
ERROR instance/beat.go:877 Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12

Config TLS/SSL with Winlogbeat

output.elasticsearch:
username: "elastic"
password: "Password"
protocol: https
hosts: ["192.168.131.128:9200", "192.168.131.131:9200"]
ssl.certificate_authorities: C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
ssl.certificate: C:\Program Files\Winlogbeat\cert\elastic-certificates.p12
ssl.key: C:\Program Files\Winlogbeat\cert\elasticsearch.keystore
ssl.key_passphrase: "Password"

Questions

On Windows, is it mandatory to be .pem ?
Does it matter if my certs come from Linux ?

Janko · September 22, 2019, 9:35am

Hey Steve,

as the error messages show the certificates are not in the expected format:

2019-09-20T11:41:14.738-0400 ERROR tlscommon/tls.go:51 Failed reading certificate file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12: no pem file
2019-09-20T11:41:14.739-0400 ERROR tlscommon/tls.go:151 Failed reading CA certificate:
2019-09-20T11:41:14.739-0400 INFO instance/beat.go:385 winlogbeat stopped.
2019-09-20T11:41:14.739-0400 ERROR instance/beat.go:877 Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12

While it does not matter which operating system is being used to create them, the format and correct setup of the files (ensuring chains are formed properly) does indeed matter here.

In the documentation (https://www.elastic.co/guide/en/beats/winlogbeat/master/beats-tls.html and https://www.elastic.co/guide/en/beats/winlogbeat/master/configuration-ssl.html) we show PEM as the format needed here and .key for the client certificate key.

Therefore please try with a PEM formatted certificate for both the certificate authority (CA) and client certificate, this should do the trick.

NewmazN24 · September 23, 2019, 1:03pm

Thanks @Janko, I wasn't sure if .pem was mandatory. I will try that out and let you know how it goes.

NewmazN24 · September 23, 2019, 1:20pm

Here's what I did

sudo /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem, then I exported that to my Windows machine.

I updated Winlogbeat.yml file to

output.elasticsearch.ssl.certificate_authorities: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.crt
output.elasticsearch.ssl.certificate: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.crt
output.elasticsearch.ssl.key: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.key

For some reason, if I have "" on ssl.certificate line, it doesn't work. I unzipped my cert created and it works. I am unsure as of why it did go through that way since I was supposed to have .pem and not .crt. If someone can explain that to me I would be grateful.

system · October 21, 2019, 1:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.