Hello folks,
I have configured Kibana, Elasticsearch with TLS/SSL. It works. When I am trying to do the same for my Winlogbeat, I can't make it work.
Command: .\winlogbeat.exe -c winlogbeat.yml -e -d "*"
Outpout
2019-09-20T11:41:11.650-0400 INFO instance/beat.go:606 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2019-09-20T11:41:11.651-0400 DEBUG [beat] instance/beat.go:658 Beat metadata path: C:\Program Files\Winlogbeat\data\meta.json
2019-09-20T11:41:11.655-0400 INFO instance/beat.go:614 Beat ID: be1adfbc-0d0c-4083-a559-a09083a2652c
2019-09-20T11:41:11.684-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:164 add_cloud_metadata: starting to fetch metadata, timeout=3s
2019-09-20T11:41:11.691-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:196 add_cloud_metadata: received disposition for qcloud after 5.9915ms. result=[provider:qcloud, error=failed requesting qcloud metadata: Get http://metadata.tencentyun.com/meta-data/instance-id: dial tcp: lookup metadata.tencentyun.com: no such host, metadata={}]
2019-09-20T11:41:14.687-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:203 add_cloud_metadata: timed-out waiting for all responses
2019-09-20T11:41:14.690-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:167 add_cloud_metadata: fetchMetadata ran for 3.004673s
2019-09-20T11:41:14.691-0400 INFO add_cloud_metadata/add_cloud_metadata.go:347 add_cloud_metadata: hosting provider type not detected.
2019-09-20T11:41:14.692-0400 DEBUG [processors] processors/processor.go:93 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata=null
2019-09-20T11:41:14.693-0400 DEBUG [seccomp] seccomp/seccomp.go:96 Syscall filtering is only supported on Linux
2019-09-20T11:41:14.693-0400 INFO [beat] instance/beat.go:902 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\Winlogbeat", "data": "C:\Program Files\Winlogbeat\data", "home": "C:\Program Files\Winlogbeat", "logs": "C:\Program Files\Winlogbeat\logs"}, "type": "winlogbeat", "uuid": "be1adfbc-0d0c-4083-a559-a09083a2652c"}}}
2019-09-20T11:41:14.694-0400 INFO [beat] instance/beat.go:911 Build info {"system_info": {"build": {"commit": "a4be71b90ce3e3b8213b616adfcd9e455513da45", "libbeat": "7.3.1", "time": "2019-08-19T19:37:03.000Z", "version": "7.3.1"}}}
2019-09-20T11:41:14.695-0400 INFO [beat] instance/beat.go:914 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":32,"version":"go1.12.4"}}}
2019-09-20T11:41:14.730-0400 INFO [beat] instance/beat.go:918 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-09-13T09:06:52.02-04:00","name":"VM01","ip":["fe80::e900:e078:b733:45fa/64","192.168.131.100/24","169.254.69.250/16","fe80::45ad:1d00:8e58:7dbe/64","10.45.0.214/24","fe80::f9ac:6bd4:4cd7:adb0/64","169.254.173.176/16","fe80::f4b1:fa67:c714:a534/64","192.168.131.1/24","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17763.437 (WinBuild.160101.0800)","mac":["a0:d3:c1:34:22:96","a0:d3:c1:34:22:97","00:50:56:c0:00:01","00:50:56:c0:00:08"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.437"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"a2ccc6a1-791b-4ac6-9ea9-2ac0e1a7715d"}}}
2019-09-20T11:41:14.736-0400 INFO [beat] instance/beat.go:947 Process info {"system_info": {"process": {"cwd": "C:\Program Files\Winlogbeat", "exe": "C:\Program Files\Winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 20116, "ppid": 5124, "start_time": "2019-09-20T11:41:11.583-0400"}}}
2019-09-20T11:41:14.737-0400 INFO instance/beat.go:292 Setup Beat: winlogbeat; Version: 7.3.1
2019-09-20T11:41:14.737-0400 DEBUG [beat] instance/beat.go:318 Initializing output plugins
2019-09-20T11:41:14.737-0400 INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'winlogbeat-7.3.1' as ILM is enabled.
2019-09-20T11:41:14.738-0400 ERROR tlscommon/tls.go:51 Failed reading certificate file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12: no pem file
2019-09-20T11:41:14.739-0400 ERROR tlscommon/tls.go:151 Failed reading CA certificate:
2019-09-20T11:41:14.739-0400 INFO instance/beat.go:385 winlogbeat stopped.
2019-09-20T11:41:14.739-0400 ERROR instance/beat.go:877 Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
Config TLS/SSL with Winlogbeat
output.elasticsearch:
username: "elastic"
password: "Password"
protocol: https
hosts: ["192.168.131.128:9200", "192.168.131.131:9200"]
ssl.certificate_authorities: C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
ssl.certificate: C:\Program Files\Winlogbeat\cert\elastic-certificates.p12
ssl.key: C:\Program Files\Winlogbeat\cert\elasticsearch.keystore
ssl.key_passphrase: "Password"
Questions
- On Windows, is it mandatory to be .pem ?
- Does it matter if my certs come from Linux ?