I'm trying to setup ELK at work to centralize our client's logs. It seems to work fine, but I'm a bit concerned that any of our client could basically fiddle with the filebeats (or anything else ..) config, use the certificates and send false logs to logstash.
I can't figure out a way against that, any ideas ?
I was thinking of just storing the client's IP as seen by logstash, which the shipper shouldn't be able to spoof, that way the worse that could happen would be a client sending wrong info about their own server - not a huge deal.
But it doesn't look like there is any way to tell logstash to add a client IP field, and obviously I don't want to trust the shipper's field like beats.hostname.
Ideally some kind of auth would of course be better, like a username / password per server, and a username field as authenticaed by logstash in the document, but that might be asking a bit too much.
Thanks for any ideas or tips !