Winlog with SSL - Errors

Elastic Stack Beats
1

Hello folks,

I have configured Kibana, Elasticsearch with TLS/SSL. It works. When I am trying to do the same for my Winlogbeat, I can't make it work.

Command: .\winlogbeat.exe -c winlogbeat.yml -e -d "*"

Outpout

2019-09-20T11:41:11.650-0400 INFO instance/beat.go:606 Home path: [C:\Program Files\Winlogbeat] Config path: [C:\Program Files\Winlogbeat] Data path: [C:\Program Files\Winlogbeat\data] Logs path: [C:\Program Files\Winlogbeat\logs]
2019-09-20T11:41:11.651-0400 DEBUG [beat] instance/beat.go:658 Beat metadata path: C:\Program Files\Winlogbeat\data\meta.json
2019-09-20T11:41:11.655-0400 INFO instance/beat.go:614 Beat ID: be1adfbc-0d0c-4083-a559-a09083a2652c
2019-09-20T11:41:11.684-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:164 add_cloud_metadata: starting to fetch metadata, timeout=3s
2019-09-20T11:41:11.691-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:196 add_cloud_metadata: received disposition for qcloud after 5.9915ms. result=[provider:qcloud, error=failed requesting qcloud metadata: Get http://metadata.tencentyun.com/meta-data/instance-id: dial tcp: lookup metadata.tencentyun.com: no such host, metadata={}]
2019-09-20T11:41:14.687-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:203 add_cloud_metadata: timed-out waiting for all responses
2019-09-20T11:41:14.690-0400 DEBUG [filters] add_cloud_metadata/add_cloud_metadata.go:167 add_cloud_metadata: fetchMetadata ran for 3.004673s
2019-09-20T11:41:14.691-0400 INFO add_cloud_metadata/add_cloud_metadata.go:347 add_cloud_metadata: hosting provider type not detected.
2019-09-20T11:41:14.692-0400 DEBUG [processors] processors/processor.go:93 Generated new processors: add_host_metadata=[netinfo.enabled=[false], cache.ttl=[5m0s]], add_cloud_metadata=null
2019-09-20T11:41:14.693-0400 DEBUG [seccomp] seccomp/seccomp.go:96 Syscall filtering is only supported on Linux
2019-09-20T11:41:14.693-0400 INFO [beat] instance/beat.go:902 Beat info {"system_info": {"beat": {"path": {"config": "C:\Program Files\Winlogbeat", "data": "C:\Program Files\Winlogbeat\data", "home": "C:\Program Files\Winlogbeat", "logs": "C:\Program Files\Winlogbeat\logs"}, "type": "winlogbeat", "uuid": "be1adfbc-0d0c-4083-a559-a09083a2652c"}}}
2019-09-20T11:41:14.694-0400 INFO [beat] instance/beat.go:911 Build info {"system_info": {"build": {"commit": "a4be71b90ce3e3b8213b616adfcd9e455513da45", "libbeat": "7.3.1", "time": "2019-08-19T19:37:03.000Z", "version": "7.3.1"}}}
2019-09-20T11:41:14.695-0400 INFO [beat] instance/beat.go:914 Go runtime info {"system_info": {"go": {"os":"windows","arch":"amd64","max_procs":32,"version":"go1.12.4"}}}
2019-09-20T11:41:14.730-0400 INFO [beat] instance/beat.go:918 Host info {"system_info": {"host": {"architecture":"x86_64","boot_time":"2019-09-13T09:06:52.02-04:00","name":"VM01","ip":["fe80::e900:e078:b733:45fa/64","192.168.131.100/24","169.254.69.250/16","fe80::45ad:1d00:8e58:7dbe/64","10.45.0.214/24","fe80::f9ac:6bd4:4cd7:adb0/64","169.254.173.176/16","fe80::f4b1:fa67:c714:a534/64","192.168.131.1/24","::1/128","127.0.0.1/8"],"kernel_version":"10.0.17763.437 (WinBuild.160101.0800)","mac":["a0:d3:c1:34:22:96","a0:d3:c1:34:22:97","00:50:56:c0:00:01","00:50:56:c0:00:08"],"os":{"family":"windows","platform":"windows","name":"Windows 10 Pro","version":"10.0","major":10,"minor":0,"patch":0,"build":"17763.437"},"timezone":"EDT","timezone_offset_sec":-14400,"id":"a2ccc6a1-791b-4ac6-9ea9-2ac0e1a7715d"}}}
2019-09-20T11:41:14.736-0400 INFO [beat] instance/beat.go:947 Process info {"system_info": {"process": {"cwd": "C:\Program Files\Winlogbeat", "exe": "C:\Program Files\Winlogbeat\winlogbeat.exe", "name": "winlogbeat.exe", "pid": 20116, "ppid": 5124, "start_time": "2019-09-20T11:41:11.583-0400"}}}
2019-09-20T11:41:14.737-0400 INFO instance/beat.go:292 Setup Beat: winlogbeat; Version: 7.3.1
2019-09-20T11:41:14.737-0400 DEBUG [beat] instance/beat.go:318 Initializing output plugins
2019-09-20T11:41:14.737-0400 INFO [index-management] idxmgmt/std.go:178 Set output.elasticsearch.index to 'winlogbeat-7.3.1' as ILM is enabled.
2019-09-20T11:41:14.738-0400 ERROR tlscommon/tls.go:51 Failed reading certificate file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12: no pem file
2019-09-20T11:41:14.739-0400 ERROR tlscommon/tls.go:151 Failed reading CA certificate:
2019-09-20T11:41:14.739-0400 INFO instance/beat.go:385 winlogbeat stopped.
2019-09-20T11:41:14.739-0400 ERROR instance/beat.go:877 Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12

Config TLS/SSL with Winlogbeat

output.elasticsearch:
username: "elastic"
password: "Password"
protocol: https
hosts: ["192.168.131.128:9200", "192.168.131.131:9200"]
ssl.certificate_authorities: C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
ssl.certificate: C:\Program Files\Winlogbeat\cert\elastic-certificates.p12
ssl.key: C:\Program Files\Winlogbeat\cert\elasticsearch.keystore
ssl.key_passphrase: "Password"

Questions

  1. On Windows, is it mandatory to be .pem ?
  2. Does it matter if my certs come from Linux ?
2

Hey Steve,

as the error messages show the certificates are not in the expected format:

2019-09-20T11:41:14.738-0400 ERROR tlscommon/tls.go:51 Failed reading certificate file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12: no pem file
2019-09-20T11:41:14.739-0400 ERROR tlscommon/tls.go:151 Failed reading CA certificate:
2019-09-20T11:41:14.739-0400 INFO instance/beat.go:385 winlogbeat stopped.
2019-09-20T11:41:14.739-0400 ERROR instance/beat.go:877 Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12
Exiting: error initializing publisher: 2 errors: no pem file C:\Program Files\Winlogbeat\cert\elastic-certificates.p12; file is not a certificate adding C:\Program Files\Winlogbeat\cert\elastic-stack-ca.p12

While it does not matter which operating system is being used to create them, the format and correct setup of the files (ensuring chains are formed properly) does indeed matter here.

In the documentation (https://www.elastic.co/guide/en/beats/winlogbeat/master/beats-tls.html and https://www.elastic.co/guide/en/beats/winlogbeat/master/configuration-ssl.html) we show PEM as the format needed here and .key for the client certificate key.

Therefore please try with a PEM formatted certificate for both the certificate authority (CA) and client certificate, this should do the trick.

3

Thanks @Janko, I wasn't sure if .pem was mandatory. I will try that out and let you know how it goes.

4

Here's what I did

sudo /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem, then I exported that to my Windows machine.

I updated Winlogbeat.yml file to

output.elasticsearch.ssl.certificate_authorities: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.crt
output.elasticsearch.ssl.certificate: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.crt
output.elasticsearch.ssl.key: C:\Program Files\Winlogbeat\cert\elastic-stack-ca\ca\ca.key

For some reason, if I have "" on ssl.certificate line, it doesn't work. I unzipped my cert created and it works. I am unsure as of why it did go through that way since I was supposed to have .pem and not .crt. If someone can explain that to me I would be grateful.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.