SSL issues with beats input

jsymons · September 16, 2020, 11:03am

We’ve currently got numerous Windows servers feeding into Graylog via sidecar-configured winlogbeat, the log entries are showing up properly which should mean that connections are being made correctly, but the graylog server logs are rapidly filled with SSL errors. Could somebody help point me as to where the issue might be that is causing all the errors?

Example error messages:

ERROR [AbstractTcpTransport] Error in Input [Beats/5f11ccb5220a9c0a5a0e6a2b] (channel [id: 0xae17782b, L:/<Graylog Server>:5044 ! R:/<Windows Server X>:49280]) (cause io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: error:100000f7:SSL routines:OPENSSL_internal:WRONG_VERSION_NUMBER)

ERROR [AbstractTcpTransport] Error in Input [Beats/5f11ccb5220a9c0a5a0e6a2b] (channel [id: 0x2dbc2e1c, L:/<Graylog Server>:5044 ! R:/<Windows Server Y>:54994]) (cause io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 325700000800324300075663785eec7d7b73dbc876a776776667f7eeebee2bef9b20486e325345b21a6f927f5d79644f9cb127ae5837934a9c72416453424c021a0094ac4cf973e58be503a47efd42e34580222553b654e5b244028d7e9cfe9d737ee7f481fdd7474747ffe1e8e88b7ffdd9fc4d1ead689687ab4b736adac42643321edae4d4f2a68e3fb5fd1121e41fcc81f99b15cdc3799887e6f467f38c86b93935afa378999c9fd1303707667e7349cda9f9769ecccc817945d32c4a62736a06237f44cc0f0373999c9bd39fcd25bda24b736a46f1224957611e25b1f96160ae689685e768e1f4821a27cf5e1b3f842b9a5d86339a19194dafa219352ec2ccc8d6b319cdb2c57ab9bc31a238caa37019fd0b9d1bf90535b28b30a57363912ce73435f28b30372e922ccf8cfc821a71b8e20d1a6992e423e3b57ef1d4f83149e6599eccde9d3c7b6d0eccf09cc6393a4c2f2fe88aa6e1f26d3437a7e6626693f1828c8793d9643e741734184ea8b5183a74eeb967ae35a1678e39302f922c8fc31506a41afe7bc71c98ac113798873e21e32121ce62e85a211d4e66f678e8f8f3606611cf5f04b8f68a966771608a59be2e66fec3c0a4b30c1d2daeb646ee88cd39bf0e5fbea337d7493acfcce93f9adf2ec32c8b66e63f0dcccb34b98ae6347d7bbe8e30ba9f839363f7d953f274f8ecc4b5876e80811e1f7bc3f1e449101cdbb63b1e7b1fcc8149af689cb319b15ccf7307664a67493a679ff8be634dec81394b5697eb9ca66f31f3e58918fddd3aa73ffd703c9a252b0c2bccde995313d37e19f1f1b107a0f303737611c63185d0bcbec9728a1b54bf45d32fa3599a64c9221ffe18c5f3e43a1b9e2cb2d75733d5d3b910ddd72f9fb075d7bb8305ff8079c4983059b3644ed5c0e4a3363f6596d230a79842b5899c53cb9b5ac1d473478e37c6267a17c5b8823fe7c38009099ec764c29ecf26eed8a6c3d05bb84397b8c1f06c32391b9e850e71e6d6993b736d73608a016b425599cb8b36c90bd3d94594d359be66c37f3ff6dffaae393013263db25d3e7dc66b9a5ed1d4b089651baff3309e87e91c23a0295f097f648f26362123dbb1acb1f1f575148fdf2ee7e95b9acdd2e47a641312d8f6d00a3cfb1b73609eada325862e6fb12d2ce232cc1749bae20b8e552bc9bc3fc27817e12a5ade68977cf8f08101d87f3c3afa72ba11c05c6b4ac8c89d3898fbdd01ec012142b1ef9bf6530b16149bf0324d66346362915fa4349c4b21f56c32fe30302f21b09e4f3ed4b7bdb3cdb6671b416dcdcb300d5716643b8affeaf4f495f1233d335ea5c9fb1be3789d27c393289b255734bd61c219cd287a8a7b6c736a667972794921a24fa2384c21305e40883f21c47f4a883b262470c53f42886b111278fc6fff19211e81bcf2df035c3b21c47308097c42)

Sidecar configuration:

# Needed for Graylog
fields_under_root: true
fields.collector_node_id: ${sidecar.nodeName}
fields.gl2_source_collector: ${sidecar.nodeId}

output.logstash:
   ssl:
     enabled: true
     verification_mode: none
   hosts:
     - graylog1.example.com:5044
     - graylog2.example.com:5044
     - graylog3.example.com:5044
path:
  data: C:\Program Files\Graylog\sidecar\cache\winlogbeat\data
  logs: C:\Program Files\Graylog\sidecar\logs
tags:
 - windows
winlogbeat:
  event_logs:
   - name: Application
     ignore_older: 72h
   - name: System
     ignore_older: 72h
   - name: Security
     ignore_older: 72h
   - name: Microsoft-Windows-Sysmon/Operational
     ignore_older: 72h

Beats input configuration:

    bind_address: 0.0.0.0
    no_beats_prefix: false
    number_worker_threads: 8
    override_source: <empty>
    port: 5044
    recv_buffer_size: 1048576
    tcp_keepalive: false
    tls_cert_file: /etc/ssl/certs/cert_file.crt
    tls_client_auth: disabled
    tls_client_auth_cert_file: <empty>
    tls_enable: true
    tls_key_file: /etc/ssl/private/key_file.key
    tls_key_password: ********

shoothub · September 16, 2020, 2:12pm

Check TLS protocols and ciphers used in config file, or limit it:

jsymons · September 16, 2020, 3:02pm

So I’ve established a connection with the beats endpoint using

openssl s_client -connect <Graylog Server>:5044 -tls1_2

Which in turn returns this connection information:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256

I then added that to the sidecar config (added the hyphen as that’s what elastic docs list as the valid value):

output.logstash:
   ssl:
     enabled: true
     verification_mode: none
     supported_protocols:
        - TLSv1.2
     cipher_suites: 
        - ECDHE-RSA-AES-128-GCM-SHA256

Still getting same errors.

system · September 30, 2020, 3:02pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Looking for help with some errors we're receiving on our Windows TLS - [AbstractTcpTransport] Graylog Central (peer support)	4	520	October 18, 2023
Graylog beats input TLS enable Error Graylog Central (peer support) sidecar , nxlog , filebeat-linux , nodatanx , send-csv-logsnx , nosendlogfblx	10	5721	November 27, 2017
Winlogbeats andTLS/SSL Confusion Graylog Central (peer support) sidecar , winlogbeat	3	1060	June 4, 2021
File does not contain valid private key Graylog Central (peer support) sidecar	11	2966	December 4, 2019
Graylog TLS Input Graylog Central (peer support)	2	358	November 22, 2023

SSL issues with beats input

Related topics