Winlogbeat ssl to elasticsearch

ChrisDaniels · December 8, 2020, 7:14pm

Followed the encrypting communications between nodes in a cluster and elasticsearch is running but now elasticsearch is not accepting connections from winlogbeat. When I run winlogbeat.exe test config-c winlogbeat.yml I get the error "tls: private key does not match public key"
Running a cluster with 3 nodes all on ubuntu 18. What am I missing?

TimV · December 9, 2020, 12:53am

We need to understand more about your configuration of Elasticsearch and winbeat in order to be able to help you.

It's almost impossible to diagnose a configuration problem when all we have to work with is a single error message.

ChrisDaniels · December 10, 2020, 12:59am

####################### Elasticsearch.yml ######################
cluster.name: NMHS-Cluster

node.name: elastic

path.data: /var/lib/elasticsearch

path.logs: /var/log/elasticsearch

network.host: 10.14.0.237

http.port: 9200

discovery.seed_hosts: ["10.14.0.237", "10.14.251.27", "10.14.254.155"]

cluster.initial_master_nodes: ["elastic", "elastic2", "elastic3"]

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: /etc/elasticsearch/http.p12

###################### Winlogbeat Configuration ########################

winlogbeat.event_logs:

name: Application
ignore_older: 72h
name: System
name: Security
processors:
- script:
  lang: javascript
  id: security
  file: ${path.home}/module/security/config/winlogbeat-security.js
name: Microsoft-Windows-Sysmon/Operational
processors:
- script:
  lang: javascript
  id: sysmon
  file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
name: Windows PowerShell
event_id: 400, 403, 600, 800
processors:
- script:
  lang: javascript
  id: powershell
  file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
name: Microsoft-Windows-PowerShell/Operational
event_id: 4103, 4104, 4105, 4106
processors:
- script:
  lang: javascript
  id: powershell
  file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
name: ForwardedEvents
tags: [forwarded]
processors:
- script:
  when.equals.winlog.channel: Security
  lang: javascript
  id: security
  file: ${path.home}/module/security/config/winlogbeat-security.js
- script:
  when.equals.winlog.channel: Microsoft-Windows-Sysmon/Operational
  lang: javascript
  id: sysmon
  file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js
- script:
  when.equals.winlog.channel: Windows PowerShell
  lang: javascript
  id: powershell
  file: ${path.home}/module/powershell/config/winlogbeat-powershell.js
- script:
  when.equals.winlog.channel: Microsoft-Windows-PowerShell/Operational
  lang: javascript
  id: powershell
  file: ${path.home}/module/powershell/config/winlogbeat-powershell.js

====================== Elasticsearch template settings =======================

setup.template.settings:
index.number_of_shards: 1
#index.codec: best_compression
#_source.enabled: false

=================================== Kibana ===================================

Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
This requires a Kibana endpoint configuration.
setup.kibana:

host: "elastic.nmhs.org:5601"

================================== Outputs ===================================

#Configure what output to use when sending the data collected by the beat.

---------------------------- Elasticsearch Output ----------------------------
output.elasticsearch:

hosts: ["https://elastic.nmhs.org:9200"]
#ssl.key_passphrase: "Handiman1@3"
#ssl.certificate: 'c:\Program files\winlogbeat\elasticsearch-ca.pem'
#ssl.key: 'c:\Program files\winlogbeat\http-elastic.key'
protocol: "https"

Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "password"

Here are the configurations and the error I'm getting:
[2020-12-09T18:58:49,005][WARN ][o.e.h.AbstractHttpServerTransport] [elastic] caught exception while handling client http traffic, closing connection Netty4HttpChannel{localAddress=/10.14.0.237:9200, remoteAddress=/10.14.255.186:56816}

system · January 7, 2021, 12:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
●[TLS] Question: Secure communication between Winlogbeat/ElasticSearch causes an error Beats elastic-stack-security , winlogbeat	3	315	February 9, 2024
Winlogbeat secure connection Beats winlogbeat	3	628	September 25, 2020
More crypto problems with Elasticsearch Beats winlogbeat	1	429	August 27, 2019
How to connect Winlogbeat to Elasticsearch dockrized Cluster using SSL? Beats elastic-stack-security , docker , winlogbeat	2	628	March 24, 2021
How to connect Winlogbeat to Elasticsearch using SSL? Beats winlogbeat	2	692	September 14, 2022

Winlogbeat ssl to elasticsearch

Related topics