Enable TLS for filebeat.input [Newbie]

Hallo community,

Quite new to the elastic stack but lurking for a while in this community.

I got the task to set up log management based on the elastic stack.
Use case: External system (SAAS) sends logs (a variety of logs from a Linux machine, e.g. tomcat) via tcp to elastic. Our devs should be able to leverage elastic for analysis, alerts, etc.

My setup is using filebeat (with System module enabled) as syslog receiver, Elastic, Kibana
(After reading a lot of discussions, I believe Logstash is not necessary for the moment)


- type: syslog
  format: auto
  enabled: true
    host: "localhost:514"

  path: /etc/filebeat/modules.d/*.yml
  reload.enabled: false

  index.number_of_shards: 1

  host: "localhost:5601"

  hosts: ["localhost:9200"]

  protocol: "https"
  ssl.verification_mode: none

# Authentication credentials - either API key or username/password.
  api_key: "someapikey"

The vendor only communicates via TLS, so I assume to configure SSL in filebeat.input to the following:

- type: syslog
  format: auto
  enabled: true
    host: "localhost:514"
  ssl.enabled: true
  ssl.certificate: "/home/user/server.pem"
  ssl.key: "/home/user/server.key"
  ssl.verification_mode: "none"
  ssl.certificate_authority: "/home/user/ca.pem"

My questions:

  • Is this change enough, so traffic between SAAS and our syslog receiver is using TLS?
  • Is the input type "syslog" the right choice? (I am not sure I understand the difference between input type "Systlog" and "TYP" correctly.

Thank you for your help, highly appreciated!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.