I want to ask for best practice for following problem:
You have different clients and you ship your logs using filebeat to logstash.
You want to seperate the clients in different indeces and you have a filter for that in your logstash pipeline.
You issue a self signed certificate for your clients to make sure only allowed clients are talking with your logstash.
Problem: How you prevent the client sending the logs to other clients index?
Client can manipulate the logs and provide a variable which makes logstash redirect his logs to different index, because in the filter you seperate the logs based on this variable.
Even if you define different pipelines for all your clients and you use different users (which are allowed to write into each clients indeces) for your output in logstash pipelines you cannot prevent that a client just send his logs to different port (used by another customer) and write logs into another clients index, because he is authenticated with the correct certificates.
Do you have any ideas how to solve this security risk. Maybe I do not see something really obvious?