Sidecars won't work after setting up https

Weasel · July 15, 2021, 8:47am

Hi,

I recently added a self signed certificate for https to my Graylog server using the Graylog docs ( Using HTTPS — Graylog 4.0.0 documentation ). After that my Sidecars stopped showing up on the web interface. So I edited the config to:

output.logstash:
   hosts: ["https://192.168.***.***:5044"]

Now the status of my sidecars says “running”. But they wont send any logs.

-----CONFIGS----
I didn’t change much but here they are.

-Winlogbeat Collector Configuration

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   hosts: ["https://192.168.***.***:5044"]

path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
   - name: System
   - name: Security

-INPUT for winlogbeat

    bind_address: 0.0.0.0
    no_beats_prefix: false
    number_worker_threads:4
    override_source:<empty>
    port: 5044
    recv_buffer_size:1048576
    tcp_keepalive: false
    tls_cert_file: /etc/graylog/cert.pem
    tls_client_auth: disabled
    tls_client_auth_cert_file:  <empty>
    tls_enable: true
    tls_key_file: /etc/graylog/pkcs8-encrypted.pem
    tls_key_password: ********

I also get that error message in my graylog server log:

Thank you in advance!

Weasel · July 16, 2021, 7:46am

I should have mentioned that I worked myself through many configs for my collectors.
Even with ssl.enabled: true verification_mode: none my sidecars won’t send logs to Graylog. Or might it be an issue with elasticsearch?

Do I have to add my self signed cert to my Sidecar configuration? (See Configure SSL | Filebeat Reference [7.13] | Elastic )

gsmith · July 17, 2021, 4:04am

Hello

I just started using Beats ( winlogbeat, metricbeat, etc…)

I’m not sure about sidecar in graylog but I do know for my winlogbeat I did have to add my cert’s

It’s not filebeat but I did have to add certs to connect to my INPUT on graylog.

output.logstash:
  hosts: ["https://elastic-stack.enseva-labs.net:5044"]
  username: "admin"
  password: "admin"
  server.ssl.enabled: true
  ssl.certificate_authorities: 'C:\Program Files\winlogbeat\root-ca.pem'
  server.ssl.certificate: 'C:\Program Files\winlogbeat\admin.pem'
  server.ssl.key: 'C:\Program Files\winlogbeat\admin-key.pem'

Hope that helps

Weasel · July 19, 2021, 1:17pm

Hi gsmith,

ssl.certificate_authorities: 'C:\Program Files\winlogbeat\root-ca.pem'

was missing on my end here. Thank you so much!

Topic		Replies	Views
Winlogbeats andTLS/SSL Confusion Graylog Central (peer support) sidecar , winlogbeat	3	1053	June 4, 2021
Beats insecure TLS Graylog Central (peer support) sidecar , winlogbeat	3	1170	March 28, 2019
TLS with Winlogbeats sidecar? Graylog Central (peer support) sidecar , winlogbeat	1	569	August 18, 2020
Securing Sidecar/beats communication Graylog Central (peer support) sidecar	10	2541	January 31, 2022
I can't see winlogbeat logs Graylog Central (peer support) sidecar , filebeat-windows , winlogbeat	19	4996	July 6, 2021

Sidecars won't work after setting up https

Related Topics