I'm trying to setup ELK at work to centralize our client's logs. It seems to work fine, but I'm a bit concerned that any of our client could basically fiddle with the filebeats (or anything else ..) config, use the certificates and send false logs to logstash.
I can't figure out a way against that, any ideas ?
I was thinking of just storing the client's IP as seen by logstash, which the shipper shouldn't be able to spoof, that way the worse that could happen would be a client sending wrong info about their own server - not a huge deal.
But it doesn't look like there is any way to tell logstash to add a client IP field, and obviously I don't want to trust the shipper's field like beats.hostname.
Ideally some kind of auth would of course be better, like a username / password per server, and a username field as authenticaed by logstash in the document, but that might be asking a bit too much.
This really depends how paranoid you want to be.
You could run auditbeat alongside filebeat, thereby being able to check if someone ran a command that looks like a possibly attack, for example.
If I'm not mistaken, that should allow me to have a @metadata.ip_address field that I can trust, which is more than enough. I updated the plugin and I can see the metadata in the debug output, but it doesn't seem to get stored in ES .. I imagine I have to configure some option for that ?
At worse I guess I could use what's mentionned here : https://www.elastic.co/blog/logstash-metadata
and just add the field by hand.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
