Home > Blockchain >  Graylog TLS client authentication Unknown beats protocol version
Graylog TLS client authentication Unknown beats protocol version

Time:12-14

I want to make beat input work with TLS client authentication without it works So I made custom graylog image with selfsigned certificates

FROM graylog/graylog:4.3
USER root
ADD beat.crt /usr/local/share/ca-certificates/beat.crt
RUN chmod 644 /usr/local/share/ca-certificates/beat.crt && update-ca-certificate

Next I made beat input with tls auth requared

bind_address: 0.0.0.0
no_beats_prefix: true
number_worker_threads: 80
override_source: <empty>
port: 5044
recv_buffer_size: 1048576
tcp_keepalive: false
tls_cert_file: <empty>
tls_client_auth: required
tls_client_auth_cert_file: /usr/local/share/ca-certificates/beat.crt
tls_enable: false
tls_key_file: <empty>
tls_key_password:********

And set filebeat on another machine folder "tls" added as volume when running filebeat in docker --volume="/home/filebeat/:/tls"

output.logstash:
hosts: ["graylog_ip_here:5044"]
ssl.certificate_authorities: ["/tls/beat.pem"]
ssl.certificate: "/tls/beat.crt"
ssl.key: "/tls/beat.key"

beat crt look inside like so pem is the same file

-----BEGIN CERTIFICATE-----
MIIFVzCCAz gAwIBAgIJALJI6zP

After all this had been set I'm getting error on graylog server

ERROR: org.graylog2.plugin.inputs.transports.AbstractTcpTransport - Error in Input cause io.netty.handler.codec.DecoderException: java.lang.IllegalStateException: Unknown beats protocol version: 3)

CodePudding user response:

As said in documentation here you should apply both steps to make it work. The first step is to set up a TLS exchange. The second is for authenticating specific users.

TLS Beats Input

To enable TLS on the input, a certificate (and private key file) is needed. It can be the same or 
a different certificate as the one of your REST/web interface, as long as it matches all hostnames 
of your input. Just reference the files TLS cert file and TLS private key file in the Beats Input 
configuration and restart the input.

The ingesting client will verify the presented certificate against his know CA certificates, 
if that is successful communication will be established using TLS.

Add client authentication to Beats input

Create one directory (/etc/graylog/server/trusted_clients ) that will hold all client certificates 
you allow to connect to the beats input. This directory must be available on all Graylog server 
that have the input enabled. Write that path in the beats input configuration 
TLS Client Auth Trusted Certs and select required for the option TLS client authentication.

After this setting is saved only clients that provide a certificate that is trusted by the CA 
and is placed inside the configured directory (/etc/graylog/server/trusted_clients) 
can deliver messages to Graylog.

Page link:https//www.codepudding.com/Blockchain/642624.html

Prev:RabbitMQ cant start due to an error on log fomatter config
Next:How to load chrome options using undetected chrome
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding