Hi all,
I am trying to add information about TLS session state between filebeats and logstash into logstash beats input from ECS, but no success. I tested all the described ECS fields of the beats input module, only one field [@metadata][input][beats][host][ip] of which is successfully added. All other fields are not resolved. I am currently getting such a result from the logstash console output:
{
"input" => {
"type" => "log"
},
"agent" => {
"name" => "asa-jump.oss.local",
"id" => "da6aaf2d-a003-43ae-81de-d0e962818293",
"ephemeral_id" => "5e11669e-3bd9-419b-90fe-0ab9659d6706",
"type" => "filebeat",
"version" => "8.2.0"
},
"@timestamp" => 2022-05-22T06:12:26.415Z,
"ecs" => {
"version" => "8.0.0"
},
"log" => {
"file" => {
"path" => "/var/log/dnf.log"
},
"offset" => 929878
},
"@metadata" => {
"beat" => "filebeat",
"version" => "8.2.0",
"input" => {
"beats" => {
"host" => {
"ip" => "192.168.70.6"
}
}
},
"type" => "_doc"
},
"ecsinfo" => [
[0] "%{[@metadata][tls_peer][status]}",
[1] "%{[@metadata][input][beats][host][name]}",
[2] "192.168.70.6",
[3] "%{[@metadata][input][beats][tls][version_protocol]}",
[4] "%{[@metadata][input][beats][tls][client][subject]}",
[5] "%{[@metadata][input][beats][tls][cipher]}"
],
"host" => {
"hostname" => "asa-jump.oss.local",
"os" => {
"kernel" => "4.18.0-348.2.1.el8_5.x86_64",
"name" => "CentOS Linux",
"type" => "linux",
"family" => "redhat",
"version" => "8",
"platform" => "centos"
},
"containerized" => false,
"ip" => [
[0] "192.168.70.6",
[1] "fe80::dc0e:fecb:57d7:48c3"
],
"name" => "asa-jump.oss.local",
"id" => "39189d2dbfe94d80a1952e24f05e3786",
"mac" => [
[0] "56:6f:00:00:00:01"
],
"architecture" => "x86_64"
},
"@version" => "1",
"event" => {
"original" => "2022-05-22T08:20:25+0300 DDEBUG Cleaning up."
},
"message" => "2022-05-22T08:20:25+0300 DDEBUG Cleaning up.",
"tags" => [
[0] "beats_input_codec_plain_applied"
]
}
My logstash configuration:
input {
beats {
port => 5044
client_inactivity_timeout => 1200
ssl => true
ssl_certificate => "/etc/ssl/client.crt"
ssl_key => "/etc/ssl/client.n.key"
ssl_certificate_authorities => ["/etc/ssl/ca.crt"]
ssl_verify_mode => force_peer
ecs_compatibility => v8
add_field => {"ecsinfo" => "%{[@metadata][tls_peer][status]}"}
add_field => {"ecsinfo" => "%{[@metadata][input][beats][host][name]}"}
add_field => {"ecsinfo" => "%{[@metadata][input][beats][host][ip]}"}
add_field => {"ecsinfo" => "%{[@metadata][input][beats][tls][version_protocol]}"}
add_field => {"ecsinfo" => "%{[@metadata][input][beats][tls][client][subject]}"}
add_field => {"ecsinfo" => "%{[@metadata][input][beats][tls][cipher]}"}
}
}
output {
stdout { codec => rubydebug {
metadata => true
}
}
}
Filebeats configuration
filebeat.inputs:
- type: log
enabled: true
paths:
- /var/log/*.log
output.logstash:
hosts: ["192.168.50.200:5044"]
ssl.certificate_authorities: ["ca.crt"]
ssl.certificate: "filebeat.crt"
ssl.key: "filebeat.key"
Why logstash's metadata haven't information about TLS session and about hostname, only IP adress? And how can I fix it?