Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Logstash Winlogbeats and SSL #1432

Closed
frankyyyyyyy opened this issue Oct 1, 2020 · 1 comment
Closed

Logstash Winlogbeats and SSL #1432

frankyyyyyyy opened this issue Oct 1, 2020 · 1 comment

Comments

@frankyyyyyyy
Copy link

frankyyyyyyy commented Oct 1, 2020
edited

Am running SO in a small environment / POC (Standalone mode - 2.2.0-rc.3) and am looking to setup Logstash to require TLS. Not looking to setup MASSL at this stage. I have taken 0009_input_beats.conf and placed it in /opt/so/saltstack/local/salt/logstash/pipelines/config/so with the following content. At this stage i reused the /etc/pki/filebeats certificate and associated /etc/pki/ca.crt.

input {
  beats {
    port => "5044"
    ssl => true
    ssl_certificate_authorities => ["/usr/share/filebeat/ca.crt"]
    ssl_certificate => "/usr/share/logstash/filebeat.crt"
    ssl_key => "/usr/share/logstash/filebeat.key"
    tags => [ "beat-ext" ]
  }
}

On my test Windows host with Winlogbeats i have setup the winlogbeat.yml file with the following. The ca.crt is a copy of the SO /etc/pki/ca.crt file:

output.logstash:
  enabled: true
  hosts: ["securityonion:5044"]
  worker: 1
  compression_level: 3
  ssl.enabled: true
  ssl.certificate_authorities: ["ca.crt"]

When running Winlogbeats on the client with winlogbeat.exe -e -c winlogbeat.yml -v:

2020-10-01T17:23:13.642+1000    ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://securityonion:5044)): remote error: tls: bad certificate
2020-10-01T17:23:13.642+1000    INFO    [publisher_pipeline_output]     pipeline/output.go:145  Attempting to reconnect to backoff(async(tcp://securityonion:5044)) with 1 reconnect attempt(s)
2020-10-01T17:23:13.642+1000    INFO    [publisher]     pipeline/retry.go:219   retryer: send unwait signal to consumer
2020-10-01T17:23:13.646+1000    INFO    [publisher]     pipeline/retry.go:223     done
2020-10-01T17:23:16.065+1000    ERROR   [publisher_pipeline_output]     pipeline/output.go:154  Failed to connect to backoff(async(tcp://securityonion:5044)): remote error: tls: bad certificate
2020-10-01T17:23:16.065+1000    INFO    [publisher_pipeline_output]     pipeline/output.go:145  Attempting to reconnect to backoff(async(tcp://securityonion:5044)) with 2 reconnect attempt(s)
2020-10-01T17:23:16.065+1000    INFO    [publisher]     pipeline/retry.go:219   retryer: send unwait signal to consumer
2020-10-01T17:23:16.069+1000    INFO    [publisher]     pipeline/retry.go:223     done

SO logs show the following:

[2020-10-01T07:23:13,657][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 192.168.20.116:49804] Handling exception: javax.net.ssl.SSLHandshakeException: Empty server certificate chain                                                                   
[2020-10-01T07:23:13,657][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.                                     
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain                                                                                                                                                                    
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                    
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                    
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                         
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                  
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                           
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                               
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                              
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                               
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                               
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                  
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                      
        at java.lang.Thread.run(Thread.java:834) [?:?]                                                                                  
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain                                                          
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]                                                             
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]                                                             
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:313) ~[?:?]                                                    
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[?:?]                                                    
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:260) ~[?:?]                                                    
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:381) ~[?:?]                                                                                                                                                         
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:366) ~[?:?]                                                                                                                                                               
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]                                                          
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]                                                 
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]                                                                                                                                                                     
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]                                                                                                                                                                     
        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]                                                            
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]                                             
        at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                   
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                              
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                 
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                              
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                 
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        ... 17 more                                                 
[2020-10-01T07:23:16,083][INFO ][org.logstash.beats.BeatsHandler] [local: 0.0.0.0:5044, remote: 192.168.20.116:49805] Handling exception: javax.net.ssl.SSLHandshakeException: Empty server certificate chain
[2020-10-01T07:23:16,083][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
[2020-10-01T07:23:16,083][WARN ][io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Empty server certificate chain                                                                                                                                                                    
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                    
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                    
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                         
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                  
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                  
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                           
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                               
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                              
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                               
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                               
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                  
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                      
        at java.lang.Thread.run(Thread.java:834) [?:?]                                                                                  
Caused by: javax.net.ssl.SSLHandshakeException: Empty server certificate chain                                                          
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]                                                             
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]                                                             
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:313) ~[?:?]                                                    
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[?:?]                                                    
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:260) ~[?:?]                                                    
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:381) ~[?:?]                                                                                                                                                         
        at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:366) ~[?:?]                                                                                                                                                               
        at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[?:?]                                                          
        at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[?:?]                                                 
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[?:?]                                                                                                                                                                     
        at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[?:?]                                                                                                                                                                     
        at java.security.AccessController.doPrivileged(Native Method) ~[?:?]                                                            
        at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[?:?]                                             
        at io.netty.handler.ssl.SslHandler.runAllDelegatedTasks(SslHandler.java:1542) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1556) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                   
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                              
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                 
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                                              
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                 
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]                                                                                                                                     
        ... 17 more

I went down the path of creating new CAs and certificates with the same outcome. Hoping somebody might be able to shed some light.
@TOoSmOotH
Copy link
Contributor

2.4 no longer uses beats and is replaced by elastic agent.

@TOoSmOotH TOoSmOotH closed this as not planned Won't fix, can't repro, duplicate, stale Sep 5, 2023
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 23, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@TOoSmOotH @frankyyyyyyy