Encrypting and authenticating communication between Winlogbeat and Logstash

I've working on a proof of concept where I'm using Elasticsearch, Logstash, Kibana and Winlogbeat.

The Winlogbeat service is running on a remote system and then sending events directly to Logstash. I've setup my configurations as follows:

Logstash config:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "logstash-remote.crt"
    ssl_key => "logstash-remote.key"
  }
}

Winlogbeat config:

output.logstash:
  hosts: ["X.X.X.X:5044"]
  
  ssl.certificate_authorities: ['logstash-remote.crt']

  compression_level: 3

  bulk_max_size: 2048

This is far from optimal as far as security goes (no central CA, no additional configurations, etc)., however for a proof of concept I'm just trying to make sure none can install their own Winlogbeat service and send bogus data to my Logstash node and any traffic sent between the Winlogbeat service and Logstash can be decrypted unless they have the two certificates residing on the Logstash node.

Do my configurations look correct so far for basic encryption and authentication?

Thanks in advance! :slight_smile:

I don't see anything in your configuration that would provide that protection.
Your TLS setup is:

  1. encrypting the communication
  2. ensuring that beats it talking to the real Logstash server

But it does not prevent additional (rogue) beats clients from connecting to that logstash port.

For that you want to enable (and enforce) client certifcates.
See

2 Likes

Thank you Tim!

Also, the guide I followed for the steps mentioned above is here: https://docs.bitnami.com/aws/apps/elk/administration/connect-remotely-logstash/

Additionally, to prevent rogue beat clients from communicating with Logstash I've implement ed firewall rules to only accept connections from trusted sources.

At the very least with my setup communication is encrypted end-to-end, which is the most important thing for this proof of concept.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.