Hello,
I am new to setting up ELK stack, currently working in a lab environment to understand setup before moving to production. Everything is on 8.0.
The problem I am having with Winlogbeat is that when I have a keystore variable in place for the CA fingerprint, the service will not start and an error is thrown in the logs. If I change it to be plaintext of the fingerprint, it works fine. Oddly enough, if I run winlogbeat setup -e with the variable in place, it connects and works fine. The winlogbeat service is running as the same user I am using to set the keystores. I am also having similar problems with keystores in filebeat, but I want to focus on this for now and will circle back.
Any thoughts on what I am doing wrong?
My config file:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["https://ServerName:9200"]
# Protocol - either `http` (default) or `https`.
protocol: "https"
# Authentication credentials - either API key or username/password.
username: "winlogbeat_user"
password: "${ES_PWD}"
ssl.enabled: true
ssl.ca_trusted_fingerprint: "${CA_FP}"
Winlogbeat error:
{"log.level":"error","@timestamp":"2022-03-01T15:21:50.452-0500","log.origin":{"file.name":"instance/beat.go","file.line":1025},"message":"Exiting: error initializing publisher: missing field accessing 'output.elasticsearch.ssl.ca_trusted_fingerprint' (source:'C:\Program Files\Winlogbeat\winlogbeat.yml') accessing 'output.elasticsearch' (source:'C:\Program Files\Winlogbeat\winlogbeat.yml')","service.name":"winlogbeat","ecs.version":"1.6.0"}
Winlogbeat setup -e working:
{"log.level":"info","@timestamp":"2022-03-01T15:23:22.545-0500","log.logger":"tls","log.origin":{"file.name":"tlscommon/
tls_config.go","file.line":163},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.nam
e":"winlogbeat","ecs.version":"1.6.0"}
{"log.level":"info","@timestamp":"2022-03-01T15:23:22.553-0500","log.logger":"tls","log.origin":{"file.name":"tlscommon/
tls_config.go","file.line":174},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certifi
cate_authorities'","service.name":"winlogbeat","ecs.version":"1.6.0"}