Winlogbeat is not shipping Data to Elasticsearch after enabling xpack Security

Moritz_Kiesewetter · March 23, 2022, 8:43am

Hello,

so we've started to renew our Cluster for various reasons:

3 Node Cluster (CentOS 7)
Using:
Kibana 7.15
Elasticsearch 7.15
Logstash 7.15
Filebeat 7.15
Winlogbeat 7.15

After we setup xpack Security within Elasticsearch - we proceeded to get our Log-Sources connected. It worked just fine for the firewalls - using the modules of Filebeat. No Problem with the delivery whatsoever.

When we tried to connect our Windows Clients to Elasticsearch - we fail.
The Config Test says it's ok - but the output test runs into a timeout.

C:\Program Files\Winlogbeat>winlogbeat test output
elasticsearch: https://X.X.X.X:9200...
parse url... OK
connection...
parse host... OK
dns lookup... OK
addresses: 10.28.99.66
dial up... ERROR dial tcp 10.28.99.66:9200: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Here's the .yml Configuration on both sides:

Winlogbeat:


output.elasticsearch:
  enabled: true   
  hosts: ["X.X.X.X:9200", "Y.Y.Y.Y:9200", "Z.Z.Z.Z:9200"]
  username: "winlogbeat"
  password: "YjkS1EvKdPaZvYUC"
  ssl.certificate_authorities: "C:\Program Files\winlogbeat\certs\ca.newkey"
  #ssl.certificate: "C:\Program Files\winlogbeat\certs\cert.newkey"
  #ssl.key: "C:\Program Files\winlogbeat\certs\key.newkey
  protocol: "https"

we've tried it both with ssl.certifacte & key enable and disabled.

Elasticsearch:

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
#xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.key: certs/key.newkey
xpack.security.transport.ssl.certificate: certs/cert.newkey
xpack.security.transport.ssl.certificate_authorities: ["/etc/elasticsearch/certs/ca.newkey"]

We've tried both with certificate verificate set to none and certificate.

I parsed the logs of elasticsearch - but cannot find any errors belonging to the Windows Server on which we're testing on.

Firewall Rules are in place.
I am sure that i'm just in a kind of tunnel vision and i'm missing out on a crucial simple part - but i fail to see it - maybe someone can help?

Thanks in advance!

Moritz_Kiesewetter · March 23, 2022, 10:05am

Soo i just cleared my head - and now i see that my configuration has nothing to do with the delivery of Data - since we've only encrypted the Internode Communication -

But now the whole Winlogbeat thing makes even less sense to me -
there's no encryption on Port 9200 - but even if i disable all the ssl. features in the winlogbeat.yml config file - i cannot access my cluster as i run into a timeout.

system · April 20, 2022, 10:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat secure connection Beats winlogbeat	3	628	September 25, 2020
Winlogbeat not sending logs after xpack.security was enabled Elasticsearch windows	1	351	December 15, 2022
Filebeat not working with xpack Security enabled in Elasticsearch Beats filebeat	0	156	April 23, 2024
Cannot get winlogbeats to send to logstash Beats winlogbeat	2	1703	April 8, 2017
Elasticsearch not receving Packetbeat after x-pack upgrade Beats packetbeat	7	501	May 17, 2018

Winlogbeat is not shipping Data to Elasticsearch after enabling xpack Security

Related topics