Winlogbeat issue with ca_trusted_fingerprint keystore


I am new to setting up ELK stack, currently working in a lab environment to understand setup before moving to production. Everything is on 8.0.

The problem I am having with Winlogbeat is that when I have a keystore variable in place for the CA fingerprint, the service will not start and an error is thrown in the logs. If I change it to be plaintext of the fingerprint, it works fine. Oddly enough, if I run winlogbeat setup -e with the variable in place, it connects and works fine. The winlogbeat service is running as the same user I am using to set the keystores. I am also having similar problems with keystores in filebeat, but I want to focus on this for now and will circle back.

Any thoughts on what I am doing wrong?

My config file:

  # Array of hosts to connect to.
  hosts: ["https://ServerName:9200"]

  # Protocol - either `http` (default) or `https`.
  protocol: "https"

  # Authentication credentials - either API key or username/password.
  username: "winlogbeat_user"
  password: "${ES_PWD}"
  ssl.enabled: true
  ssl.ca_trusted_fingerprint: "${CA_FP}"

Winlogbeat error:

{"log.level":"error","@timestamp":"2022-03-01T15:21:50.452-0500","log.origin":{"":"instance/beat.go","file.line":1025},"message":"Exiting: error initializing publisher: missing field accessing 'output.Elasticsearch.ssl.ca_trusted_fingerprint' (source:'C:\Program Files\Winlogbeat\winlogbeat.yml') accessing 'output.Elasticsearch' (source:'C:\Program Files\Winlogbeat\winlogbeat.yml')","":"winlogbeat","ecs.version":"1.6.0"}

Winlogbeat setup -e working:

tls_config.go","file.line":163},"message":"'ca_trusted_fingerprint' set, looking for matching fingerprints","service.nam
tls_config.go","file.line":174},"message":"CA certificate matching 'ca_trusted_fingerprint' found, adding it to 'certifi

Is there anyone with any ideas? I am really lost at this point. Have searched around quite a bit and haven't found this particular message anywhere.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.