Graylog TLS client authentication Unknown beats protocol version

I want to make beat input work with TLS client authentication without it works So I made custom graylog image with selfsigned certificates

FROM graylog/graylog:4.3
USER root
ADD beat.crt /usr/local/share/ca-certificates/beat.crt
RUN chmod 644 /usr/local/share/ca-certificates/beat.crt && update-ca-certificate

Next I made beat input with tls auth requared

bind_address: 0.0.0.0
no_beats_prefix: true
number_worker_threads: 80
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: required
tls_client_auth_cert_file: /usr/local/share/ca-certificates/beat.crt
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

And set filebeat on another machine folder “tls” added as volume when running filebeat in docker --volume=“/home/filebeat/:/tls”

output.logstash:
hosts: ["graylog_ip_here:5044"]
ssl.certificate_authorities: ["/tls/beat.pem"]
ssl.certificate: "/tls/beat.crt"
ssl.key: "/tls/beat.key"

beat crt look inside like so pem is the same file

-----BEGIN CERTIFICATE-----
MIIFVzCCAz+gAwIBAgIJALJI6zP

After all this had been set I’m getting error on graylog server

ERROR: org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Error in Input cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 3)

Hey @bdssultan && Welcome

Another member had issue like this here as for your INPUT

the tls_cert_file Is missing, plus ensure Graylog has access to those certs , make sure the permsiion are good.

Example:

image603×823 26.6 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.