I have Logstash set up receiving data from Filebeat on external servers, with SSL mutual authentication.
I would like to add one more layer and only allow through when Filebeat's client certificate subject matches a string or regular expression.
It seems like I should be able to do something like this:
input {
beats {
port => 5045
ssl => true
ssl_certificate_authorities => [ "/etc/logstash/ca.crt" ]
ssl_certificate => "/etc/logstash/{{ node_name }}.crt"
ssl_key => "/etc/logstash/{{ node_name }}.pkcs8.key"
}
}
output {
if [@metadata][tls_peer][subject] =~ /{{ elk_node }}-filebeat/ {
if [fields][log_for] {
elasticsearch {
ssl => true
ssl_certificate_verification => true
cacert => '/etc/logstash/ca.crt'
hosts => [ {{ logstash_elasticsearch_hosts }} ]
user => "{{ logstash_elasticsearch_user }}"
password => "{{ logstash_elasticsearch_password }}"
index => "logstash-%{[fields][log_for]}-%{+YYYY.MM.dd}"
}
}
}
}
But the relevant metadata doesn't appear to be available.
What am I missing?