Checking client cert subject in Logstash

I have Logstash set up receiving data from Filebeat on external servers, with SSL mutual authentication.

I would like to add one more layer and only allow through when Filebeat's client certificate subject matches a string or regular expression.

It seems like I should be able to do something like this:

        input {
          beats {
            port => 5045
            ssl => true
            ssl_certificate_authorities => [ "/etc/logstash/ca.crt" ]
            ssl_certificate => "/etc/logstash/{{ node_name }}.crt"
            ssl_key => "/etc/logstash/{{ node_name }}.pkcs8.key"
          }
        }
        output {
          if [@metadata][tls_peer][subject] =~ /{{ elk_node }}-filebeat/ {
            if [fields][log_for] {
              elasticsearch { 
                ssl => true
                ssl_certificate_verification => true
                cacert => '/etc/logstash/ca.crt'
                hosts => [ {{ logstash_elasticsearch_hosts }} ]
                user => "{{ logstash_elasticsearch_user }}"
                password => "{{ logstash_elasticsearch_password }}"
                index => "logstash-%{[fields][log_for]}-%{+YYYY.MM.dd}"
              }
            }
          }
        }

But the relevant metadata doesn't appear to be available.

What am I missing?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.