Let's assume an application I would like to monitor is running in a Security-Network-Zone (e.g. DMZ). It should be integrated via Filebeat into the Logstash & Elasticsearch platform running in the internal network zone.
But unfortunately the Security-Zone does not allow me to establish a connection to the internal network for security-reasons. It is only allowed, to create a connection from the internal network to the security-zone.
As the connection between Filebeat & Logstash is persistent anyway, I was thinking if there is a way to initialize the connection to Filebeat from Logstash (Internal to DMZ)? But it seems not, as I haven't found any information.
What would be your advice in that architecture to solve this requirement?
Can you add any other tools in the DMZ infrastructure? If so you could use Kafka.
You would need to configure your Filebeat (in the DMZ) to ship the logs to Kafka (also in the DMZ), then you would use the kafka input in logstash to pull the logs from Kafka.
This way it is your logstash server that will start the connection.
Indeed the Security Advice will not be to forward the logs to the internal zone, but implement a logs concentrator in the DMZ, in this case I think another logstash instance is the way to go.
It is an interesting suggestion. You would need to test what happens when each one restarts, what happens when each one starts when the other is not running etc. (If I recall correctly the output will hang in the register function until it connects.)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.