SSL issues with beats input

Graylog Central (peer support)
,
1

We’ve currently got numerous Windows servers feeding into Graylog via sidecar-configured winlogbeat, the log entries are showing up properly which should mean that connections are being made correctly, but the graylog server logs are rapidly filled with SSL errors. Could somebody help point me as to where the issue might be that is causing all the errors?

Example error messages:

ERROR [AbstractTcpTransport] Error in Input [Beats/5f11ccb5220a9c0a5a0e6a2b] (channel [id: 0xae17782b, L:/<Graylog Server>:5044 ! R:/<Windows Server X>:49280]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER)

ERROR [AbstractTcpTransport] Error in Input [Beats/5f11ccb5220a9c0a5a0e6a2b] (channel [id: 0x2dbc2e1c, L:/<Graylog Server>:5044 ! R:/<Windows Server Y>:54994]) (cause io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 325700000800324300075663785eec7d7b73dbc876a776776667f7eeebee2bef9b20486e325345b21a6f927f5d79644f9cb127ae5837934a9c72416453424c021a0094ac4cf973e58be503a47efd42e34580222553b654e5b244028d7e9cfe9d737ee7f481fdd7474747ffe1e8e88b7ffdd9fc4d1ead689687ab4b736adac42643321edae4d4f2a68e3fb5fd1121e41fcc81f99b15cdc3799887e6f467f38c86b93935afa378999c9fd1303707667e7349cda9f9769ecccc817945d32c4a62736a06237f44cc0f0373999c9bd39fcd25bda24b736a46f1224957611e25b1f96160ae689685e768e1f4821a27cf5e1b3f842b9a5d86339a19194dafa219352ec2ccc8d6b319cdb2c57ab9bc31a238caa37019fd0b9d1bf90535b28b30a57363912ce73435f28b30372e922ccf8cfc821a71b8e20d1a6992e423e3b57ef1d4f83149e6599eccde9d3c7b6d0eccf09cc6393a4c2f2fe88aa6e1f26d3437a7e6626693f1828c8793d9643e741734184ea8b5183a74eeb967ae35a1678e39302f922c8fc31506a41afe7bc71c98ac113798873e21e32121ce62e85a211d4e66f678e8f8f3606611cf5f04b8f68a966771608a59be2e66fec3c0a4b30c1d2daeb646ee88cd39bf0e5fbea337d7493acfcce93f9adf2ec32c8b66e63f0dcccb34b98ae6347d7bbe8e30ba9f839363f7d953f274f8ecc4b5876e80811e1f7bc3f1e449101cdbb63b1e7b1fcc8149af689cb319b15ccf7307664a67493a679ff8be634dec81394b5697eb9ca66f31f3e58918fddd3aa73ffd703c9a252b0c2bccde995313d37e19f1f1b107a0f303737611c63185d0bcbec9728a1b54bf45d32fa3599a64c9221ffe18c5f3e43a1b9e2cb2d75733d5d3b910ddd72f9fb075d7bb8305ff8079c4983059b3644ed5c0e4a3363f6596d230a79842b5899c53cb9b5ac1d473478e37c6267a17c5b8823fe7c38009099ec764c29ecf26eed8a6c3d05bb84397b8c1f06c32391b9e850e71e6d6993b736d73608a016b425599cb8b36c90bd3d94594d359be66c37f3ff6dffaae393013263db25d3e7dc66b9a5ed1d4b089651baff3309e87e91c23a0295f097f648f26362123dbb1acb1f1f575148fdf2ee7e95b9acdd2e47a641312d8f6d00a3cfb1b73609eada325862e6fb12d2ce232cc1749bae20b8e552bc9bc3fc27817e12a5ade68977cf8f08101d87f3c3afa72ba11c05c6b4ac8c89d3898fbdd01ec012142b1ef9bf6530b16149bf0324d66346362915fa4349c4b21f56c32fe30302f21b09e4f3ed4b7bdb3cdb6671b416dcdcb300d5716643b8affeaf4f495f1233d335ea5c9fb1be3789d27c393289b255734bd61c219cd287a8a7b6c736a667972794921a24fa2384c21305e40883f21c47f4a883b262470c53f42886b111278fc6fff19211e81bcf2df035c3b21c47308097c42)

Sidecar configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   ssl:
     enabled: true
     verification_mode: none
   hosts:
     - graylog1.example.com:5044
     - graylog2.example.com:5044
     - graylog3.example.com:5044
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     ignore_older: 72h
   - name: System
     ignore_older: 72h
   - name: Security
     ignore_older: 72h
   - name: Microsoft-Windows-Sysmon/Operational
     ignore_older: 72h

Beats input configuration:

    bind_address: 0.0.0.0
    no_beats_prefix: false
    number_worker_threads: 8
    override_source: <empty>
    port: 5044
    recv_buffer_size: 1048576
    tcp_keepalive: false
    tls_cert_file: /etc/ssl/certs/cert_file.crt
    tls_client_auth: disabled
    tls_client_auth_cert_file: <empty>
    tls_enable: true
    tls_key_file: /etc/ssl/private/key_file.key
    tls_key_password: ********
2

Check TLS protocols and ciphers used in config file, or limit it:

3

So I’ve established a connection with the beats endpoint using

openssl s_client -connect <Graylog Server>:5044 -tls1_2

Which in turn returns this connection information:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

I then added that to the sidecar config (added the hyphen as that’s what elastic docs list as the valid value):

output.logstash:
   ssl:
     enabled: true
     verification_mode: none
     supported_protocols:
        - TLSv1.2
     cipher_suites: 
        - ECDHE-RSA-AES-128-GCM-SHA256

Still getting same errors.

4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.