I have two beats on each server. Filebeat and auditbeat. I set up filebeat output to logstash and auditbeat output to elasticsearch. Filebeat encryption works fine. Now I'm setting up auditbeat's encryption.
I have copied this output from filebeat to auditbeat.yml:
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["91.242.11.225:9200"] # Not the real IP
# Protocol - either `http` (default) or `https`.
#protocol: "https"
# Authentication credentials - either API key or username/password.
#api_key: "id:api_key"
username: "elastic"
password: "password" # Not the real password
ssl.enabled: true
ssl.certificate_authorities: ["/etc/elk/ca.crt"]
# Certificate for SSL client authentication
ssl.certificate: "/etc/elk/beats.crt"
# Client Certificate Key
ssl.key: "/etc/elk/beats.key"
ssl.key_passphrase: "password" # Not the real password
ssl.verification_mode: full
But when I ngep, I see it ships data to 9200 unencrypted. Am I missing something? Thanks ahead!