Encrypting and authenticating communication between Winlogbeat and Logstash

popa · November 26, 2018, 1:07am

I've working on a proof of concept where I'm using Elasticsearch, Logstash, Kibana and Winlogbeat.

The Winlogbeat service is running on a remote system and then sending events directly to Logstash. I've setup my configurations as follows:

Logstash config:

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate => "logstash-remote.crt"
    ssl_key => "logstash-remote.key"
  }
}

Winlogbeat config:

output.logstash:
  hosts: ["X.X.X.X:5044"]
  
  ssl.certificate_authorities: ['logstash-remote.crt']

  compression_level: 3

  bulk_max_size: 2048

This is far from optimal as far as security goes (no central CA, no additional configurations, etc)., however for a proof of concept I'm just trying to make sure none can install their own Winlogbeat service and send bogus data to my Logstash node and any traffic sent between the Winlogbeat service and Logstash can be decrypted unless they have the two certificates residing on the Logstash node.

Do my configurations look correct so far for basic encryption and authentication?

Thanks in advance!

TimV · November 26, 2018, 1:49am

I don't see anything in your configuration that would provide that protection.
Your TLS setup is:

encrypting the communication
ensuring that beats it talking to the real Logstash server

But it does not prevent additional (rogue) beats clients from connecting to that logstash port.

For that you want to enable (and enforce) client certifcates.
See

Logstash ssl_verify_mode (you want force_peer)
Logstash ssl_certificate_authorities
Winlogbeat ssl.certificate
Winlogbeat ssl.key

popa · November 26, 2018, 4:18am

Thank you Tim!

Also, the guide I followed for the steps mentioned above is here: https://docs.bitnami.com/aws/apps/elk/administration/connect-remotely-logstash/

Additionally, to prevent rogue beat clients from communicating with Logstash I've implement ed firewall rules to only accept connections from trusted sources.

At the very least with my setup communication is encrypted end-to-end, which is the most important thing for this proof of concept.

system · December 24, 2018, 4:19am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Winlogbeat to Logstash over SSL Logstash	12	267	February 13, 2023
Winlogbeat secure connection Beats winlogbeat	3	628	September 25, 2020
Winlogbeats not working with SSL configuration to Logstash Beats winlogbeat	18	6311	May 2, 2018
Logstash / Beats Encryption Error Logstash	1	175	September 1, 2023
Using ssl between filebeat client and logstash server Logstash	1	716	July 6, 2017

Encrypting and authenticating communication between Winlogbeat and Logstash

Related Topics