When Logstash is secured with SSL mutual authentication, is it possible to have Logstash add the client certificate's subject as a field in an event before forwarding to Elasticsearch?
I don't think so. The SSL termination is negotiated well before the input ever receives the payload.