Enable TLS for filebeat.input [Newbie]

Hallo community,

Quite new to the elastic stack but lurking for a while in this community.

I got the task to set up log management based on the elastic stack.
Use case: External system (SAAS) sends logs (a variety of logs from a Linux machine, e.g. tomcat) via tcp to elastic. Our devs should be able to leverage elastic for analysis, alerts, etc.

My setup is using filebeat (with System module enabled) as syslog receiver, Elastic, Kibana
(After reading a lot of discussions, I believe Logstash is not necessary for the moment)

filebeat.yml

filebeat.inputs:
- type: syslog
  format: auto
  enabled: true
  protocol.tcp:
    host: "localhost:514"

filebeat.config.modules:
  path: /etc/filebeat/modules.d/*.yml
  reload.enabled: false

setup.template.settings:
  index.number_of_shards: 1

setup.kibana:
  host: "localhost:5601"

output.elasticsearch:
  hosts: ["localhost:9200"]

  protocol: "https"
  ssl.verification_mode: none

# Authentication credentials - either API key or username/password.
  api_key: "someapikey"

The vendor only communicates via TLS, so I assume to configure SSL in filebeat.input to the following:

filebeat.inputs:
- type: syslog
  format: auto
  enabled: true
  protocol.tcp:
    host: "localhost:514"
  ssl.enabled: true
  ssl.certificate: "/home/user/server.pem"
  ssl.key: "/home/user/server.key"
  ssl.verification_mode: "none"
  ssl.certificate_authority: "/home/user/ca.pem"

My questions:

  • Is this change enough, so traffic between SAAS and our syslog receiver is using TLS?
  • Is the input type "syslog" the right choice? (I am not sure I understand the difference between input type "Systlog" and "TYP" correctly.

Thank you for your help, highly appreciated!
Dan

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.