我找不到这个警告(logstash)的原因:“无效的beats协议版本”

问题描述 投票:0回答:3

亲爱的 Stackoverflow 社区,

我想知道为什么我对 Logstash 的这个问题感兴趣:

2021-01-20T01:02:33,444][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
[2021-01-20T01:02:41,603][INFO ][org.logstash.beats.BeatsHandler][synlite_suricata][input_beats] [local: 10.0.100.12:5044, remote: 10.0.100.1:39666] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
[2021-01-20T01:02:41,614][WARN ][io.netty.channel.DefaultChannelPipeline][synlite_suricata][input_beats] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext.access$600(AbstractChannelHandlerContext.java:38) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.channel.AbstractChannelHandlerContext$7.run(AbstractChannelHandlerContext.java:353) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897) [netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-all-4.1.30.Final.jar:4.1.30.Final]
    at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 22
    at org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.0.9.jar:?]
    at org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.0.9.jar:?]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441) ~[netty-all-4.1.30.Final.jar:4.1.30.Final]
    ... 8 more
[2021-01-20T01:02:41,637][INFO ][org.logstash.beats.BeatsHandler][synlite_suricata][input_beats] [local: 10.0.100.12:5044, remote: 10.0.100.1:39666] Handling exception: org.logstash.beats.InvalidFrameProtocolException: Invalid version of beats protocol: 3
[2021-01-20T01:02:41,639][WARN ][io.netty.channel.DefaultChannelPipeline][synlite_suricata][input_beats] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.

我发现了类似的主题,但我找不到明确的解释...... Logstashbeats 输入“beats 协议版本无效” 使用 Postman 模拟 ELK Beat 输出到 Logstash

我可以分享我的配置:

管道.yml:

- pipeline.id: synlite_suricata
  path.config: "/etc/logstash/synlite_suricata/conf.d/*.conf"

- pipeline.id: fallback
  path.config: "/etc/logstash/fallback/conf.d/*.conf"

synlite_suricata 输入:

input {
  # Beats
  beats {
    id => "input_beats"
    host => "${SYNLITE_SURICATA_BEATS_HOST}"
    port => "${SYNLITE_SURICATA_BEATS_PORT}"
    client_inactivity_timeout => 180
    ssl => false
    ssl_certificate_authorities => "${SYNLITE_SURICATA_CACERT}"
    ssl_certificate => "${SYNLITE_SURICATA_BEATS_CERT}"
    ssl_key => "${SYNLITE_SURICATA_BEATS_KEY}"
    ssl_verify_mode => "peer"
    ssl_peer_metadata => true
    tls_min_version => 1.2
    cipher_suites => [ "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384" ]

  }
}

以及 /etc/systemd/system/logstash.service.d/synlite_suricata.conf 中的 systemd 变量:

[Service]
# Synesis Lite for Suricata global configuration
Environment="SYNLITE_SURICATA_DICT_PATH=/etc/logstash/synlite_suricata/dictionaries"
Environment="SYNLITE_SURICATA_TEMPLATE_PATH=/etc/logstash/synlite_suricata/templates"
Environment="SYNLITE_SURICATA_GEOIP_DB_PATH=/etc/logstash/synlite_suricata/geoipdbs"
Environment="SYNLITE_SURICATA_GEOIP_CACHE_SIZE=8192"
Environment="SYNLITE_SURICATA_GEOIP_LOOKUP=true"
Environment="SYNLITE_SURICATA_ASN_LOOKUP=true"
Environment="SYNLITE_SURICATA_CLEANUP_SIGS=false"

# Name resolution option
Environment="SYNLITE_SURICATA_RESOLVE_IP2HOST=false"
Environment="SYNLITE_SURICATA_NAMESERVER=127.0.0.1"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_SIZE=25000"
Environment="SYNLITE_SURICATA_DNS_HIT_CACHE_TTL=900"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_SIZE=75000"
Environment="SYNLITE_SURICATA_DNS_FAILED_CACHE_TTL=3600"

# Elasticsearch connection settings
Environment="SYNLITE_SURICATA_ES_HOST=10.0.100.11"
Environment="SYNLITE_SURICATA_ES_USER=logstash"
Environment="SYNLITE_SURICATA_ES_PASSWD=password"

# Beats input
Environment="SYNLITE_SURICATA_BEATS_HOST=10.0.100.12"
Environment="SYNLITE_SURICATA_BEATS_PORT=5044"

# Certs config
Environment="SYNLITE_SURICATA_CACERT=/etc/logstash/tls/root-ca.crt"
Environment="SYNLITE_SURICATA_BEATS_CERT=/etc/logstash/tls/logstash-input-server.crt"
Environment="SYNLITE_SURICATA_BEATS_KEY=/etc/logstash/tls/logstash-input-server.pk8"
Environment="SYNLITE_SURICATA_ES_KEYSTORE=/etc/logstash/tls/logstash-elasticsearch-output-client.p12"
Environment="SYNLITE_SURICATA_ES_KEYSTORE_PASSWORD=password"

我不知道如何查找与“beat版本”相关的信息...Logstash-oss 7.8.0

谢谢,等待您的关注

logstash
3个回答
3
投票

通常,这是由于连接到节拍输入的某些东西不涉及节拍(伐木工)协议而引起的。输入基本上是说字节流中某个位置的字节有一个它无法理解的值。造成这种情况的原因可能有很多。

要确定原因,您需要找到具有该功能的程序

远程:10.0.100.1:39666

打开并检查它向您发送的内容。 tcpdump 可能有帮助。可能的原因包括(但当然不限于):

  • 节拍被配置为使用 SSL,但输入不是

  • beat 输入需要 SSL,但 filebeat 没有 已配置

  • 如果您在公司网络上,公司安全人员可能会 对每个内部 IP 地址运行端口扫描并尝试 连接到每个 TCP 端口(可能有数亿个端口 每周)并检查它是否响应 HTTP 或其他一些 如果没有适当保护,这些协议可能会成为安全弱点。

  • 如果该地址在互联网上(不太可能,因为它是私人地址) 地址,但您可能混淆了该消息)然后我可以 保证 Shodan 和许多其他人正在对您进行端口扫描。

  • 另一种可能性是注释掉 filebeat.yml 中的 Elasticsearch Hosts: 条目(但不是 Elasticsearch: 条目),然后取消注释 Logstash Hosts: 条目(而不是 Logstash: 条目)。这会导致节拍尝试与节拍输入进行 HTTP 通信,这将引发此异常。

0
投票

非常有帮助,谢谢! 我将使用 tcpdump 进行探索。我在使用 Wireguardtunel 的专用网络下。

0
投票

我面临类似的问题,目前我不知道可能的原因。我已经在私有 Kubernetes 环境中部署了logstash pod。从您发布此问题之日起这段时间的发现将对我有很大帮助。期待您的意见。

这是我面临的日志。

2023-11-29T14:25:37.670130118Z 在 io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:393) ~[netty-codec-4.1.93.Final.jar:4.1.93.Final] 在 io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:376) ~[netty-codec-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670136694Z在io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:305)〜[netty-transport-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670140034Z 在 io.netty.channel.AbstractChannelHandlerContext.access$300(AbstractChannelHandlerContext.java:61) ~[netty-transport-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670143579Z在io.netty.channel.AbstractChannelHandlerContext $ 4.run(AbstractChannelHandlerContext.java:286)〜[netty-transport-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670146813Z在io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)〜[netty-common-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670150069Z在io.netty.util.concurrent.DefaultEventExecutor.run(DefaultEventExecutor.java:66)〜[netty-common-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670153337Z在io.netty.util.concurrent.SingleThreadEventExecutor $ 4.run(SingleThreadEventExecutor.java:997)[netty-common-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670156577Z 在 io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.93.Final.jar:4.1.93.Final] 在 io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [netty-common-4.1.93.Final.jar:4.1.93.Final] 2023-11-29T14:25:37.670163301Z 在 java.lang.Thread.run(Thread.java:833) [?:?] 2023-11-29T14:25:37.670166501Z 引起:org.logstash.beats.InvalidFrameProtocolException:beats协议版本无效:69 2023-11-29T14:25:37.670169696Z 在 org.logstash.beats.Protocol.version(Protocol.java:22) ~[logstash-input-beats-6.6.1.jar:?] 在 org.logstash.beats.BeatsParser.decode(BeatsParser.java:62) ~[logstash-input-beats-6.6.1.jar:?] 2023-11-29T14:25:37.670176195Z在io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)〜[netty-codec-4.1.93.Final.jar:4.1.93.Final]

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.