ERROR: Failed to connect to remote HELK server

Describe the problem

I'm trying to send logs from a windows machine via winlogbeat to the HELK (UBUNTU).

I've set everything as listed step by step:

For server: https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_98.html

For windows Client machine: https://cyberwardog.blogspot.com/2017/02/setting-up-pentesting-i-mean-threat_87.html

I'm not able to add the winlogbeat-* in Index pattern in Kibana, I've checked winlogbeat logs and I can see this error:

ERROR pipeline/output.go:100 Failed to connect to backoff(async(tcp://192.168.2.211:5044)): read tcp 192.168.2.24:52545->192.168.2.211:5044: wsarecv: An existing connection was forcibly closed by the remote host.

Provide the output of the following commands

Get operating system and version for linux (except Mac) use:
cat /etc/os-release
for Mac/OSX use:
sw_vers
Get disk space, memory, processor cores, and docker storage
echo -e "\nDocker Space:" && df -h /var/lib/docker; echo -e "\nMemory:" && free -g; echo -e "\nCores:" && getconf _NPROCESSORS_ONLN
Get output of the HELK docker containers:
docker ps --filter "name=helk"

NAME="Ubuntu"
VERSION="18.04.4 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.4 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic

Docker Space:
df: /var/lib/docker: No such file or directory

Memory:
              total        used        free      shared  buff/cache   available
Mem:              7           4           1           0           1           2
Swap:             1           0           1

Cores:
2

docker ps --filter "name=helk"

Command 'docker' not found, but can be installed with:

sudo snap install docker     # version 18.09.9, or
sudo apt  install docker.io

See 'snap info docker' for additional versions.

Provide the HELK installation logs located at /var/log/helk-install.log if you are having install errors

The file is empty

What version of HELK are you using

run the command from within the HELK root directory cat .git/refs/heads/master
and include what date you cloned the HELK repo


24/3/2020

What version of Winlogbeat are you using if you are using Windows/WEF logs

winlogbeat-7.6.1-windows-x86_64

Some of the winlogbeat logs:

2020-04-02T16:21:58.983+0300    ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://192.168.2.211:5044)): read tcp 192.168.2.24:52545->192.168.2.211:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2020-04-02T16:21:58.983+0300    INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://192.168.2.211:5044)) with 2053 reconnect attempt(s)
2020-04-02T16:22:17.785+0300    INFO    [monitoring]    log/log.go:145  Non-zero metrics in the last 30s    {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":73031},"total":{"ticks":112609,"value":112609},"user":{"ticks":39578}},"handles":{"open":280},"info":{"ephemeral_id":"0e6da9be-8ff7-4d93-9e6d-6fbe13fb3490","uptime":{"ms":92670081}},"memstats":{"gc_next":66386592,"memory_alloc":33351160,"memory_total":383318224,"rss":-1761280},"runtime":{"goroutines":32}},"libbeat":{"config":{"module":{"running":0}},"output":{"read":{"errors":1},"write":{"bytes":241}},"pipeline":{"clients":4,"events":{"active":4120,"retry":2048}}}}}}
2020-04-02T16:22:36.387+0300    ERROR   pipeline/output.go:100  Failed to connect to backoff(async(tcp://192.168.2.211:5044)): read tcp 192.168.2.24:52546->192.168.2.211:5044: wsarecv: An existing connection was forcibly closed by the remote host.
2020-04-02T16:22:36.388+0300    INFO    pipeline/output.go:93   Attempting to reconnect to backoff(async(tcp://192.168.2.211:5044)) with 2054 reconnect attempt(s)
2020-04-02T16:22:47.783+0300    INFO    [monitoring]    log/log.go:145  Non-zero metrics in the last 30s    {"monitoring": {"metrics": {"beat":{"cpu":{"system":{"ticks":73093,"time":{"ms":62}},"total":{"ticks":112671,"time":{"ms":62},"value":112671},"user":{"ticks":39578}},"handles":{"open":280},"info":{"ephemeral_id":"0e6da9be-8ff7-4d93-9e6d-6fbe13fb3490","uptime":{"ms":92700080}},"memstats":{"gc_next":66386592,"memory_alloc":33195152,"memory_total":383377608,"rss":40177664},"runtime":{"goroutines":32}},"libbeat":{"config":{"module":{"running":0}},"output":{"read":{"errors":1},"write":{"bytes":241}},"pipeline":{"clients":4,"events":{"active":4120,"retry":2048}}}}}}

What steps did you take trying to fix the issue

After A long search I realized that this issue is related to TLS/SSL

I've recreated new cert and key: sudo openssl req -subj '/CN=elk-server/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout ssl/logstash-forwarder.key -out ssl/logstash-forwarder.crt

Copied the contents of the logstash-forwarder.crt to the windows machine

Restarted winlogbeat process, the hole machine, the whole ubuntu environment HELK resides on.

Tested the config yml file for both the HELK and winlogbeat on : http://www.yamllint.com/ (no errors)

How could we replicate the issue

Any additionally code or log context you would like to provide

winlogbeat.yml 

###################### Winlogbeat Configuration Example ########################

# This file is an example configuration file highlighting only the most common
# options. The winlogbeat.reference.yml file from the same directory contains
# all the supported options with more comments. You can use it as a reference.
#
# You can find the full configuration reference here:
# https://www.elastic.co/guide/en/beats/winlogbeat/index.html

#======================= Winlogbeat specific options ===========================

# event_logs specifies a list of event logs to monitor as well as any
# accompanying options. The YAML data type of event_logs is a list of
# dictionaries.
#
# The supported keys are name (required), tags, fields, fields_under_root,
# forwarded, ignore_older, level, event_id, provider, and include_xml. Please
# visit the documentation for the complete details of each option.
# https://go.es.io/WinlogbeatConfig
winlogbeat.event_logs:
  - name: Application
    ignore_older: 72h

  - name: System

  - name: Security
    processors:
      - script:
          lang: javascript
          id: security
          file: ${path.home}/module/security/config/winlogbeat-security.js

  - name: Microsoft-Windows-Sysmon/Operational
    processors:
      - script:
          lang: javascript
          id: sysmon
          file: ${path.home}/module/sysmon/config/winlogbeat-sysmon.js

#==================== Elasticsearch template settings ==========================

setup.template.settings:
  index.number_of_shards: 1
  #index.codec: best_compression
  #_source.enabled: false

#================================ General =====================================

# The name of the shipper that publishes the network data. It can be used to group
# all the transactions sent by a single shipper in the web interface.
#name:

# The tags of the shipper are included in their own field with each
# transaction published.
#tags: ["service-X", "web-tier"]

# Optional fields that you can specify to add additional information to the
# output.
#fields:
#  env: staging

#============================== Dashboards =====================================
# These settings control loading the sample dashboards to the Kibana index. Loading
# the dashboards is disabled by default and can be enabled either by setting the
# options here or by using the `setup` command.
#setup.dashboards.enabled: false

# The URL from where to download the dashboards archive. By default this URL
# has a value which is computed based on the Beat name and version. For released
# versions, this URL points to the dashboard archive on the artifacts.elastic.co
# website.
#setup.dashboards.url:

#============================== Kibana =====================================

# Starting with Beats version 6.0.0, the dashboards are loaded via the Kibana API.
# This requires a Kibana endpoint configuration.
setup.kibana:

  # Kibana Host
  # Scheme and port can be left out and will be set to the default (http and 5601)
  # In case you specify and additional path, the scheme is required: http://localhost:5601/path
  # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601
  #host: "localhost:5601"

  # Kibana Space ID
  # ID of the Kibana Space into which the dashboards should be loaded. By default,
  # the Default Space will be used.
  #space.id:

#============================= Elastic Cloud ==================================

# These settings simplify using Winlogbeat with the Elastic Cloud (https://cloud.elastic.co/).

# The cloud.id setting overwrites the `output.elasticsearch.hosts` and
# `setup.kibana.host` options.
# You can find the `cloud.id` in the Elastic Cloud web UI.
#cloud.id:

# The cloud.auth setting overwrites the `output.elasticsearch.username` and
# `output.elasticsearch.password` settings. The format is `<user>:<pass>`.
#cloud.auth:

#================================ Outputs =====================================

# Configure what output to use when sending the data collected by the beat.

#-------------------------- Elasticsearch output ------------------------------
#output.elasticsearch:
  # Array of hosts to connect to.
  #hosts: ["localhost:9200"]

  # Protocol - either `http` (default) or `https`.
  #protocol: "https"

  # Authentication credentials - either API key or username/password.
  #api_key: "id:api_key"
  #username: "elastic"
  #password: "changeme"

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["192.168.2.211:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ['C:\Tools\ELK\certs\logstash-forwarderN.crt']

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/pki/client/cert.pem"

  # Client Certificate Key
  #ssl.key: "/etc/pki/client/cert.key"

#================================ Processors =====================================

# Configure processors to enhance or manipulate events generated by the beat.

processors:
  - add_host_metadata: ~
  - add_cloud_metadata: ~
  - add_docker_metadata: ~

#================================ Logging =====================================

# Sets log level. The default log level is info.
# Available log levels are: error, warning, info, debug
#logging.level: debug

# At debug level, you can selectively enable logging only for some components.
# To enable all selectors use ["*"]. Examples of other selectors are "beat",
# "publish", "service".
#logging.selectors: ["*"]

#============================== X-Pack Monitoring ===============================
# winlogbeat can export internal metrics to a central Elasticsearch monitoring
# cluster.  This requires xpack monitoring to be enabled in Elasticsearch.  The
# reporting is disabled by default.

# Set to true to enable the monitoring reporter.
#monitoring.enabled: false

# Sets the UUID of the Elasticsearch cluster under which monitoring data for this
# Winlogbeat instance will appear in the Stack Monitoring UI. If output.elasticsearch
# is enabled, the UUID is derived from the Elasticsearch cluster referenced by output.elasticsearch.
#monitoring.cluster_uuid:

# Uncomment to send the metrics to Elasticsearch. Most settings from the
# Elasticsearch output are accepted here as well.
# Note that the settings should point to your Elasticsearch *monitoring* cluster.
# Any setting that is not set is automatically inherited from the Elasticsearch
# output configuration, so if you have the Elasticsearch output configured such
# that it is pointing to your Elasticsearch monitoring cluster, you can simply
# uncomment the following line.
#monitoring.elasticsearch:

#================================= Migration ==================================

# This allows to enable 6.7 migration aliases
#migration.6_to_7.enabled: true

HELK conf:
sudo nano /etc/logstash/conf.d/first-pipeline.conf 

input {
    beats {
        port => 5044
        add_field => { "[@metadata][source]" => "winlogbeat"}
        ssl => true
        ssl_certificate => "/etc/logstash/ssl/logstash-forwarderN.crt"
        ssl_key => "/etc/logstash/ssl/logstash-forwarderN.key"

    }
}
# The filter part of this file is commented out to indicate that it is
# optional.
# filter {
#
# }
output {

    elasticsearch {
      hosts => "localhost:9200"
      manage_template => false
      index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
      document_type => "%{[@metadata][type]}"
    }
}

Any additional context or input you have

Testing the certificate:

curl -v --cacert logstash-forwarderN.crt https://192.168.2.211:5044

curl -v --cacert logstash-forwarderN.crt https://192.168.2.211:5044
* Rebuilt URL to: https://192.168.2.211:5044/
*   Trying 192.168.2.211...
* TCP_NODELAY set
* Connected to 192.168.2.211 (192.168.2.211) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: logstash-forwarderN.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.2.211:5044 
* stopped the pause stream!
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to 192.168.2.211:5044

Ports:

netstat -anp|grep 5044
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
tcp6       0      0 :::5044                 :::*                    LISTEN

netstat -antp
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5601          0.0.0.0:*               LISTEN      -                   
tcp        0      0 192.168.2.211:38530     52.34.225.30:443        ESTABLISHED 12801/firefox       
tcp        0      0 127.0.0.1:38278         127.0.0.1:9200          ESTABLISHED -                   
tcp        0      0 127.0.0.1:38280         127.0.0.1:9200          ESTABLISHED -                   
tcp        0      0 127.0.0.1:38282         127.0.0.1:9200          ESTABLISHED -                   
tcp6       0      0 127.0.0.1:9200          :::*                    LISTEN      -                   
tcp6       0      0 :::5044                 :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:9300          :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:9600          :::*                    LISTEN      -                   
tcp6       0      0 127.0.0.1:9200          127.0.0.1:38282         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:9200          127.0.0.1:38284         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:9200          127.0.0.1:38278         ESTABLISHED -                   
tcp6       0      0 127.0.0.1:38284         127.0.0.1:9200          ESTABLISHED -                   
tcp6       0      0 127.0.0.1:9200          127.0.0.1:38280         ESTABLISHED -

pictures, comments, etc.

Cyb3rWard0g / HELK