Have Beats to include authentication token in header

(Susan Hua) #1

We want to have Beats installed on thousands of client machine and have Beats send data to Logstash. Can we have Beats make API call to get an authentication token and include in header? Then proxy on Logstash will process the token in header to authenticate each request. Is this something achievable?

(Mark Walkom) #2

Not currently, but it's an interesting idea!

(Steffen Siering) #3

what you mean by header? Beats->LS is not using HTTP.

Currently for authentication only SSL/TLS support with client authentication is available.

(Susan Hua) #4

Thanks for your response @warkolm and @steffens. What is the protocol for Beats to communicate to LS then?

To work around this problem, can we do the following:

Have a service running on client with Filebeat installed. That service will get request from Filebeat and add authentication token in request somehow and forward request to Logstash. Then we will have proxy running on Logstash. And the proxy will do nothing but validate the token. If token is valid it will pass the request to Logstash.

Do you think this is a feasible solution?

(Steffen Siering) #5

beats uses lumberjack protocol, which uses a persistent TCP connection. The go implementation is provided by go-lumber. The logstash input plugin is provided by logstash-input-beats.

With lumberjack using a persistent TCP connection some authentication scheme (e.g. kerberos) at connection time would make sense. But this is currently not supported by the protocol.

If your willing to write very custom code, you might consider a proxy faking the elasticsearch bulk request API and configure beats elasticsearch output to use elasticsearch pointing to your proxy. This API is based on HTTP. In the elasticsearch output you can configure additional HTTP parameters to be passed for example. But this requires you to fetch a token before starting filebeat. But then I still don't know how you want to validate the token from within logstash.

(system) #6

This topic was automatically closed after 21 days. New replies are no longer allowed.