My first concern is winlogbeat doesn't notify of any TLS or Certificate Errors, even when I set the log level to 'info'. This is poor form!
2016-04-22T22:34:11+02:00 INFO winlogbeat sucessfully setup. Start running.
2016-04-22T22:34:11+02:00 INFO Error publishing events (retrying): EOF
2016-04-22T22:34:11+02:00 INFO send fail
2016-04-22T22:34:11+02:00 INFO backoff retry: 1s
2016-04-22T22:34:12+02:00 INFO Error publishing events (retrying): EOF
2016-04-22T22:34:12+02:00 INFO send fail
System:
- Windows 2012 R2 with winlogbeats with Winlogbeat 1.2.1
- Logstash 2.3 on a RedHat Linux server
(all fresh 'current' downloads from today!)
I set some things up as per https://www.elastic.co/guide/en/beats/winlogbeat/current/configuring-tls-logstash.html.
According to it "If certificate_authorities is empty or not set, the trusted certificate authorities of the host system are used."
I'm quite certain my certs are correctly installed in both the Windows Certificate Store.
- Most windows things can use sites signed by the CA in the browser.
- Ran a test script via powershell to connect to the logstash input port with TLS, and it worked.
The only configuration change I had to make to fix it was to change the winlogbeat.yml file and explicitly set the CA.
In summary, I suspect that winlogbeat doesn't correctly use the "Trusted Root Certification Authorities" plus "Intermediate Certification Authorities".
To test/re-produce use at least a 2-tier CA setup.
- Setup Root + Intermediary CA
- Intermediary CA signs cert for logstash beats input
- On windows system (with winlogbeat), trust Root plus Intermediary (in the local computer certficate store)
- Install Root -> "Trusted Root Certification Authorities"
- Install Intermediary CA -> "Intermediate Certification Authorities"
- Also export Root and Intermediary CA cert into PEM format file for explicit config
- Test two yaml configs, one pointing to the .pem file with the CA, the other just specify tls:, but leave empty (implicit)
Note, for the moment, just doing TLS Sever Auth and leaving client authentication on the logstash input out of the mix. Example config:
winlogbeat side
output:
logstash:
hosts:
- plogprocs1v.standardbank.co.za:5045
tls:
certificate_authorities:
- C:/Program Files/Winlogbeat/<org internal ca trust chain>.pem
logstash side
input {
# server auth only
beats {
port => 5045
ssl => true
ssl_certificate => "/etc/pki/tls/certs/<fqdn>.rsa.crt"
ssl_key => "/etc/pki/tls/private/<fqdn>.rsa.key"
}
}