How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server?

I have 2 servers with Ubuntu 18.04:

Here is the configuration file /etc/logstash/conf.d/logstash.conf on the server monitoring.example.com :

input {
  beats {
    port => 5044
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Here is the configuration file /etc/filebeat/filebeat.yml on the server www.example.com :

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["monitoring.example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/ca.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/client.crt"

  # Client Certificate Key
  #ssl.key: "/etc/client.key"

Currently ELK works and receives the files from Filebeat. But the exchanges are not secure.

How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server ?

I found this documentation :

https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html

But how to create the certificates and on which server should you create them ?

UPDATE

on the server ELK

Create directories to store SSL certificates

$ sudo mkdir -p /etc/elk-certs

Generate SSL Certificates

$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt

Change the owner

$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.key

Send the SSL certificate to the client server

$ sudo scp /etc/elk-certs/monitoring-example-com.crt root@22.22.22.222:/tmp
$ sudo scp /etc/elk-certs/monitoring-example-com.key root@22.22.22.222:/tmp

on the server client

Create the directories to store the SSL certificate

$ sudo mkdir -p /etc/elk-certs

Copy the certificate into the directory

$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/
$ sudo mv /tmp/monitoring-example-com.key /etc/elk-certs/

on the server ELK

Here is the configuration file /etc/logstash/conf.d/logstash.conf on the server monitoring.example.com :

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/elk-certs/monitoring-example-com.crt"]
    ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt"
    ssl_key => "/etc/elk-certs/monitoring-example-com.key"
    ssl_verify_mode => "force_peer"
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Restart Logstash

$ sudo systemctl restart logstash

on the server client

Here is the configuration file /etc/filebeat/filebeat.yml on the server www.example.com :

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["monitoring.example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"

  # Client Certificate Key
  ssl.key: "/etc/elk-certs/monitoring-example-com.key"

Restart Filebeat

$ sudo systemctl restart filebeat

PROBLEM

$ curl -v --cacert /etc/elk-certs/monitoring-revolutime-com.crt https://monitoring.example.com:5044

* Rebuilt URL to: https://monitoring.example.com:5044/
*   Trying 2001:42d0:301:1000::1b37...
* TCP_NODELAY set
*   Trying 11.11.111.111...
* TCP_NODELAY set
* Connected to monitoring.example.com (11.11.111.111) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/elk-certs/monitoring-example-com.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Currently Logstash does not receive any data from Filebeat.

https://pastebin.com/4g1N0LD2

You can generate certificates using the certutil tool that comes bundled with Elasticsearch.

Also, if you only seek secure connection between FB => LS then you probably don't really need client certificates in your filebeat.yml so remove ssl.certificate and ssl.key and keep only ssl.certificate_authorities.

This tool is paid or free ?

This is released under Basic license, which is free

Thank you, I am not familiar with the Ubuntu command. In my case what would be the entry command ? Where are the certificates stored ?
There are no blog posts on this topic.

The tool should work in any linux distro with a supported JVM installed. Just follow the procedure to generate as if you were generating certificates for an Elasticsearch node, but use the generated certificate files with Logstash and Filebeat instead as it will work just fine.

The referred documentation contains all that is needed for generating the certificates. If you don't feel comfortable with that, then you should be able to use openssl instead, if you prefer.

I have tried OpenSSL several times and it does not work.

So give the certutil a try, it should be easier to use.

Is this article still relevant? Is this the right method ?

When you say that X-pack is free, it's not open source? Are the features on this page free? Thank you

https://www.elastic.co/fr/products/stack/security

Please, read this blog post for more information https://www.elastic.co/products/x-pack/open

I updated my question

It annoys me I will uninstall ELK and test Graylog. This is the fighter's journey to set up SSL between ELK and Logstash.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.