Winlogbeat ssl to elasticsearch

Followed the encrypting communications between nodes in a cluster and elasticsearch is running but now elasticsearch is not accepting connections from winlogbeat. When I run winlogbeat.exe test config-c winlogbeat.yml I get the error "tls: private key does not match public key"
Running a cluster with 3 nodes all on ubuntu 18. What am I missing?

We need to understand more about your configuration of Elasticsearch and winbeat in order to be able to help you.

It's almost impossible to diagnose a configuration problem when all we have to work with is a single error message.

####################### Elasticsearch.yml ######################
cluster.name: NMHS-Cluster

node.name: elastic

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: 10.14.0.237

http.port: 9200

discovery.seed_hosts: ["10.14.0.237", "10.14.251.27", "10.14.254.155"]

cluster.initial_master_nodes: ["elastic", "elastic2", "elastic3"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/http.p12

###################### Winlogbeat Configuration ########################

winlogbeat.event_logs:

  • name: Application
    ignore_older: 72h

  • name: System

  • name: Security
    processors:

    • script:
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js
  • name: Microsoft-Windows-Sysmon/Operational
    processors:

    • script:
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
  • name: Windows PowerShell
    event_id: 400, 403, 600, 800
    processors:

    • script:
      lang: javascript
      id: powershell
      file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
  • name: Microsoft-Windows-PowerShell/Operational
    event_id: 4103, 4104, 4105, 4106
    processors:

    • script:
      lang: javascript
      id: powershell
      file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
  • name: ForwardedEvents
    tags: [forwarded]
    processors:

    • script:
      when.equals.winlog.channel: Security
      lang: javascript
      id: security
      file: ${path.home}/module/security/config/winlogbeat-security.js
    • script:
      when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
      lang: javascript
      id: sysmon
      file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
    • script:
      when.equals.winlog.channel: Windows PowerShell
      lang: javascript
      id: powershell
      file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
    • script:
      when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
      lang: javascript
      id: powershell
      file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

====================== Elasticsearch template settings =======================

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

=================================== Kibana ===================================

Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
This requires a Kibana endpoint configuration.
setup.kibana:

host: "elastic.nmhs.org:5601"

================================== Outputs ===================================

#Configure what output to use when sending the data collected by the beat.

---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:

hosts: ["https://elastic.nmhs.org:9200"]
#ssl.key_passphrase: "Handiman1@3"
#ssl.certificate: 'c:\Program files\winlogbeat\elasticsearch-ca.pem'
#ssl.key: 'c:\Program files\winlogbeat\http-elastic.key'
protocol: "https"

Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "password"

Here are the configurations and the error I'm getting:
[2020-12-09T18:58:49,005][WARN ][o.e.h.AbstractHttpServerTransport] [elastic] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/10.14.0.237:9200, remoteAddress=/10.14.255.186:56816}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.