How to configure SSL connection between Logstash and Filebeat

Elastic Stack Logstash
1

Hi everyone,

I'm trying to configure the SSL connection between Logstash and Filebeat. Filebeat is working fine, but Logstash is not starting.

Logstash.conf

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/root/ca/certs/ca.cert.pem"]
    ssl_certificate => "/root/ca/intermediate/certs/elasticStackServer.cert.pem"
    ssl_key => "/root/ca/intermediate/private/elasticStackServer.key.pem"
    ssl_verify_mode => "force_peer"
  }
}

output {
  elasticsearch {
    hosts => "10.56.80.20:9200"
    manage_template => false
    index => "%{[@metadata][beat]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
}

filebeat.yml

filebeat.prospectors:
- type: log
  enabled: true
  paths:
    - /var/log/*.log
filebeat.config.modules:
  path: ${path.config}/modules.d/*.yml
  reload.enabled: false
setup.template.settings:
  index.number_of_shards: 3
output.logstash:
  hosts: ["10.56.80.20:5044"]
  ssl.certificate_authorities: ["/root/ca/certs/ca.cert.pem"]
  ssl.certificate: "/root/ca/intermediate/certs/elasticStackClient.cert.pem"
  ssl.key: "/root/ca/intermediate/private/elasticStackClient.key.pem"
logging.level: debug

Logstash Logfile:

[2018-02-09T15:09:03,756][ERROR][logstash.inputs.beats    ] Invalid setting for beats input plugin:

  input {
    beats {
      # This setting must be a path
      # File does not exist or cannot be opened /root/ca/intermediate/certs/elasticStackServer.cert.pem
      ssl_certificate => "/root/ca/intermediate/certs/elasticStackServer.cert.pem"
      ...
    }
  }
[2018-02-09T15:09:03,758][ERROR][logstash.inputs.beats    ] Invalid setting for beats input plugin:

  input {
    beats {
      # This setting must be a path
      # File does not exist or cannot be opened /root/ca/intermediate/private/elasticStackServer.key.pem
      ssl_key => "/root/ca/intermediate/private/elasticStackServer.key.pem"
      ...
    }
  }

I created the key and certificate according to following instructions:
Create SSL key

Here the command to create the cert and change of permission

openssl ca -config intermediate/openssl.cnf \
      -extensions server_cert -days 375 -notext -md sha256 \
      -in intermediate/csr/elasticStackServer.csr.pem \
      -out intermediate/certs/elasticStackServer.cert.pem

chmod 444 intermediate/certs/elasticStackServer.cert.pem

Thank you in advance.

Best regards
Simon

2

Unless you're running Logstash as root it won't be able to access a file under /root.

1 Like
3

Magnus, you made my day.
Thank you!

I copied the appropriate files to /etc/logstash/ssl/

Now it works!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.