Filebeat encrypted communication to Logstash

Elastic Stack Beats
1

Dears,

I have to enable SSL/TLS in Filebeat configuration to encrypt communication to Logstash.
Right now my ELK cluster use SSL/TLS configuration between nodes with self-signed certificates. Logstash is started on each ELK node.
Certs were generated on the first node of ELK cluster through:
bin/elasticsearch-certutil cert ca --pem --in /tmp/instance.yml --out /tmp/certs/certs.zip

File instance.yml included list of ELK nodes. Command elasticsearch-certutil generated certs for each node like this:
ca.crt
node.crt
node01.key

The question is how to generate certs for machines where filebeat is installed?
Do you have any experience with such configuration?

Best Regards,
Dan

2

Hello Daniel,

Do you want to encrypt the communication or do you want to use client authentication? For Encryption, you do not need certificates on the filebeat machines. Just configure filebeat to use SSL and where to find the certificate authorities:

output.logstash:
  # The Logstash hosts
  hosts: ["host:5043"]
  ssl.enabled: true
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/path/to/intermediateCa.crt", "/path/to/rootCa.crt"]

In the Logstash pipeline configure the SSL too(Be aware that the key must be pkcs8 as far as I know):

input {
    beats {
        host => "host"
        port => 5043
        ssl => true
        ssl_certificate => "/path/to/serverCert.crt"
        ssl_certificate_authorities => ["/path/to/intermediateCa.crt", "/path/to/rootCa.crt"]
        ssl_key => "/path/to/private.key.pkcs8"
        ssl_key_passphrase => "${input.ssl_key_passphrase}"
    }
}

Add the passphrase to the LogStash keystore and you are good to go.

Best regards
Wolfram

3

Hello Wolfram,

Thank you for the quick reply. I want to turn on traffic authentication between Filebeat and Logstash.

Regards,
Dan

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.