Best Practice to Make sure clients Logs are written in correct clients Index


I want to ask for best practice for following problem:

  1. You have different clients and you ship your logs using filebeat to logstash.

  2. You want to seperate the clients in different indeces and you have a filter for that in your logstash pipeline.

  3. You issue a self signed certificate for your clients to make sure only allowed clients are talking with your logstash.

Problem: How you prevent the client sending the logs to other clients index?

  1. Client can manipulate the logs and provide a variable which makes logstash redirect his logs to different index, because in the filter you seperate the logs based on this variable.

  2. Even if you define different pipelines for all your clients and you use different users (which are allowed to write into each clients indeces) for your output in logstash pipelines you cannot prevent that a client just send his logs to different port (used by another customer) and write logs into another clients index, because he is authenticated with the correct certificates.

Do you have any ideas how to solve this security risk. Maybe I do not see something really obvious?


Use a different certificate for each client?

Thanks for your reply.

Yeah as far as I understood the client certificate is used for authentication.

So I can only make sure that the client who is sending to logstash is trusted, because i gave him the certificate. But i cannot prevent the client to change for example his filebeat configuration and just add different port for example. This would lead his filebeat to ship to another clients pipeline and because all client certificates are signed by my self generated root ca, he will not be stopped doing that, because he could successfuly authenticate himself using the certificates.

And even if I do host validation. Anyone can just spin up another filebeat on the clients machine, copy the config from existing one and do whatever he wants to do

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.