我找不到此警告的原因(logstash):"Beats协议的版本无效"

ffx8fchx  于 2022-12-09  发布在  Logstash
关注(0)|答案(2)|浏览(1145)

亲爱的Stackoverflow社区:
我想知道为什么我在这个问题上与logstash的赌注:

2021-01-20T01:02:33,444][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2021-01-20T01:02:41,603][INFO ][org.logstash.beats.BeatsHandler][synlite_suricata][input_beats] [local: 10.0.100.12:5044, remote: 10.0.100.1:39666] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
[2021-01-20T01:02:41,614][WARN ][io.netty.channel.DefaultChannelPipeline][synlite_suricata][input_beats] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.30.Final.jar:4.1.30.Final]
    at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
    at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.0.9.jar:?]
    at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.0.9.jar:?]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    ... 8 more
[2021-01-20T01:02:41,637][INFO ][org.logstash.beats.BeatsHandler][synlite_suricata][input_beats] [local: 10.0.100.12:5044, remote: 10.0.100.1:39666] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 3
[2021-01-20T01:02:41,639][WARN ][io.netty.channel.DefaultChannelPipeline][synlite_suricata][input_beats] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.

我找到了类似的主题,但我找不到明确的解释... Logstash beats input "invalid version of beats protocol"Mock an ELK Beat output to Logstash with Postman
我可以共享我的配置:
pipelines.yml:

- pipeline.id: synlite_suricata
  path.config: "/etc/logstash/synlite_suricata/conf.d/*.conf"

- pipeline.id: fallback
  path.config: "/etc/logstash/fallback/conf.d/*.conf"

synlite_suricata输入:

input {
  # Beats
  beats {
    id => "input_beats"
    host => "${SYNLITE_SURICATA_BEATS_HOST}"
    port => "${SYNLITE_SURICATA_BEATS_PORT}"
    client_inactivity_timeout => 180
    ssl => false
    ssl_certificate_authorities => "${SYNLITE_SURICATA_CACERT}"
    ssl_certificate => "${SYNLITE_SURICATA_BEATS_CERT}"
    ssl_key => "${SYNLITE_SURICATA_BEATS_KEY}"
    ssl_verify_mode => "peer"
    ssl_peer_metadata => true
    tls_min_version => 1.2
    cipher_suites => [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ]

  }
}

和/etc/systemd/system/logstash. service. d/synlite_suricata. conf文件中的系统管理程序变量:

[Service]
# Synesis Lite for Suricata global configuration
Environment="SYNLITE_SURICATA_DICT_PATH=/etc/logstash/synlite_suricata/dictionaries"
Environment="SYNLITE_SURICATA_TEMPLATE_PATH=/etc/logstash/synlite_suricata/templates"
Environment="SYNLITE_SURICATA_GEOIP_DB_PATH=/etc/logstash/synlite_suricata/geoipdbs"
Environment="SYNLITE_SURICATA_GEOIP_CACHE_SIZE=8192"
Environment="SYNLITE_SURICATA_GEOIP_LOOKUP=true"
Environment="SYNLITE_SURICATA_ASN_LOOKUP=true"
Environment="SYNLITE_SURICATA_CLEANUP_SIGS=false"

# Name resolution option
Environment="SYNLITE_SURICATA_RESOLVE_IP2HOST=false"
Environment="SYNLITE_SURICATA_NAMESERVER=127.0.0.1"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_SIZE=25000"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_TTL=900"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_SIZE=75000"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_TTL=3600"

# Elasticsearch connection settings
Environment="SYNLITE_SURICATA_ES_HOST=10.0.100.11"
Environment="SYNLITE_SURICATA_ES_USER=logstash"
Environment="SYNLITE_SURICATA_ES_PASSWD=password"

# Beats input
Environment="SYNLITE_SURICATA_BEATS_HOST=10.0.100.12"
Environment="SYNLITE_SURICATA_BEATS_PORT=5044"

# Certs config
Environment="SYNLITE_SURICATA_CACERT=/etc/logstash/tls/root-ca.crt"
Environment="SYNLITE_SURICATA_BEATS_CERT=/etc/logstash/tls/logstash-input-server.crt"
Environment="SYNLITE_SURICATA_BEATS_KEY=/etc/logstash/tls/logstash-input-server.pk8"
Environment="SYNLITE_SURICATA_ES_KEYSTORE=/etc/logstash/tls/logstash-elasticsearch-output-client.p12"
Environment="SYNLITE_SURICATA_ES_KEYSTORE_PASSWORD=password"

我不知道如何找到与"节拍版本"相关的信息... Logstash-oss 7.8.0
谢谢,等待您的关注

w7t8yxp5

w7t8yxp51#

通常这是由于连接到beats输入的东西不是beats(lumberjack)协议所导致的。输入基本上是说字节流中某个位置的字节有一个它无法理解的值。这可能有很多原因。
要确定原因,您需要找到
远程:10.0.100.1:39666
打开并检查它发送给你的内容。tcpdump可能会有帮助。可能的原因包括(但肯定不限于):

  • 心跳配置为使用SSL,但输入未配置为使用SSL
  • 节拍输入需要SSL,但filebeat未配置SSL
  • 如果您在公司网络上,公司安全人员可能会对每个内部IP地址运行端口扫描,并尝试连接到每个TCP端口(每周可能有数亿个端口),检查它是否响应HTTP或其他一些协议,如果没有适当保护,这些协议可能是安全漏洞。
  • 如果该地址是在互联网上(不太可能,因为它是一个私人地址,但你可能已经混淆了消息),那么我可以保证,Shodan和许多其他人正在端口扫描你。
  • 另一种可能性是注解掉ElasticSearch主机:条目(而不是ElasticSearch:条目),然后取消注解logstash hosts:条目(而不是logstash:这将导致beat尝试与beat输入进行HTTP对话,从而引发此异常。
b1zrtrql

b1zrtrql2#

非常有帮助,谢谢!我将用tcpdump探索。我在一个使用Wireguard tunel的专用网络下。

相关问题