Authenticating clients - beats


I'm trying to setup ELK at work to centralize our client's logs. It seems to work fine, but I'm a bit concerned that any of our client could basically fiddle with the filebeats (or anything else ..) config, use the certificates and send false logs to logstash.
I can't figure out a way against that, any ideas ?

I was thinking of just storing the client's IP as seen by logstash, which the shipper shouldn't be able to spoof, that way the worse that could happen would be a client sending wrong info about their own server - not a huge deal.
But it doesn't look like there is any way to tell logstash to add a client IP field, and obviously I don't want to trust the shipper's field like beats.hostname.

Ideally some kind of auth would of course be better, like a username / password per server, and a username field as authenticaed by logstash in the document, but that might be asking a bit too much.

Thanks for any ideas or tips !

FYI we’ve renamed ELK to the Elastic Stack, otherwise Beats feels left out :wink:

You can use TLS/SSL auth - But again, that doesn't stop possible injection attacks.

This really depends how paranoid you want to be.
You could run auditbeat alongside filebeat, thereby being able to check if someone ran a command that looks like a possibly attack, for example.


Well I don't really care if someone injects stuff, as long as I can tell.
I'm trying to use this :

If I'm not mistaken, that should allow me to have a @metadata.ip_address field that I can trust, which is more than enough. I updated the plugin and I can see the metadata in the debug output, but it doesn't seem to get stored in ES .. I imagine I have to configure some option for that ?
At worse I guess I could use what's mentionned here :
and just add the field by hand.

@metadata fields are explicitly not carried through to the output, you will need to convert it into a "normal" field.

Allright, I understand.
For reference I added this to my logstash :

add_field => { "@metadata.ip_address" => "%{[@metadata][ip_address]}" }

Looks like it works okay after a few minutes testing.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.