I am in the process of evaluating X-Pack security and in my current setup, I've successfully sorted the following SSL/TLS communication:
Kibana ----> AD LDAPS Server (IIS generated self-signed certificate for the purpose of server authentication)
Kibana ----> ElasticSearch (certgen tool)
Kibana ----> Browser (certgen tool)
Filebeat ----> Logstash (certgen tool)
Logstash ----> ElasticSearch (certgen tool)
Kibana, Logstash and ElasticSearch are running on a single Windows server 2012R2
I have two servers that I am collecting logs from, running two different applications. I would like to use ELK for centralized logs monitoring from the two applications but I would like to have complete isolation between the two projects. I have realized this logical separation in the database by using different index name prefix. Each Filebeat shipper sends logs under a specific index depending on the project.
What I am concerned is in general, how do I make sure that data from a particular client server is actually coming from it and ensure that someone who has the server certificate doesn't load dirty data into the database?
If I understand correctly, the idea is to provide filebeat with the ElasticSearch node certificate so that it can authenticate the node, however does the node (ElasticSearch or Logstash) also try to authenticate the server from where logs are coming from? In other words, can I somehow ensure that a given filebeat agent is authenticated by the elastic node server and writing data only to a particular index in the database?
If the two application servers are using the same certificate to authenticate the ElasticSearch node server how do I make sure someone will not try to load dirty content into the indices of the other application or even worse submit DELETE Curl requests and compromise all indices:
curl -XDELETE https://:9200/index/filebeat-app01-* --cacert ca.crt
Does ElasticSearch cater for client certificates or only provides a way to authenticate the servers running the core components?
Thanks a lot in advance!