Elastic Stack with Network Security Zones

I would like to know if what I'm trying to do is possible with Elastic Stack?

I have multiple network security zones, all firewalled from each other: (PAZ - Public Access Zone, OZ - Operation Zone, RZ - Restricted Zone). I would like all logs from all servers to be shipped and stored in the RZ - strongest security zone. But data can't go directly from the PAZ to the RZ, it first has to pass through the OZ to reach the RZ.

So the setup would basically be this:
PAZ server rsyslog configured to send syslogs to PAZ Logstash
PAZ Logstash output send to OZ Logstash
OZ Logstash output sends to RZ Logstash
RZ Logstash output sends to RZ Elasticsearch

What I've tried to do so far is setup a Logstash server in the PAZ and another in OZ. I'm trying to setup Logstash-to-Logstash Lumberjack Communication - https://www.elastic.co/guide/en/logstash/current/ls-to-ls.html. When I test this by running logstash on the command line, everything seems to work, but running Logstash as a service with this same setup results in SSL errors.

I found a few posts saying that the Lumberjack protocol is deprecated. Is there a best practice for what I'm trying to do, or a recommended way to do this?

If the PAZ and OS logstash are doing nothing but forwarding messages I would consider replacing them with syslog forwarders.

There are many ways to configure logstash to logstash forwarding. Lumberjack was at one time preferred but not now. http to http or tcp to tcp should both work. udp is possible, but not preferred.

Thanks @Badger for the information. I'll play around more with TCP to TCP, initial testing on my end wasn't going too well but I didn't spend enough time there.

And I failed to mention in the first post that I would also like to ship Windows event logs this way. I'm trying to minimize the number of servers per zone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.