How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server?

zenimagine · May 9, 2019, 11:57pm

I have 2 servers with Ubuntu 18.04:

monitoring.example.com (with ELK on a single server)
www.example.com (with Filebeat)

Here is the configuration file /etc/logstash/conf.d/logstash.conf on the server monitoring.example.com :

input {
  beats {
    port => 5044
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Here is the configuration file /etc/filebeat/filebeat.yml on the server www.example.com :

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["monitoring.example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  #ssl.certificate_authorities: ["/etc/ca.crt"]

  # Certificate for SSL client authentication
  #ssl.certificate: "/etc/client.crt"

  # Client Certificate Key
  #ssl.key: "/etc/client.key"

Currently ELK works and receives the files from Filebeat. But the exchanges are not secure.

How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server ?

I found this documentation :

https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html

But how to create the certificates and on which server should you create them ?

UPDATE

on the server ELK

Create directories to store SSL certificates

$ sudo mkdir -p /etc/elk-certs

Generate SSL Certificates

$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt

Change the owner

$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.key

Send the SSL certificate to the client server

$ sudo scp /etc/elk-certs/monitoring-example-com.crt root@22.22.22.222:/tmp
$ sudo scp /etc/elk-certs/monitoring-example-com.key root@22.22.22.222:/tmp

on the server client

Create the directories to store the SSL certificate

$ sudo mkdir -p /etc/elk-certs

Copy the certificate into the directory

$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/
$ sudo mv /tmp/monitoring-example-com.key /etc/elk-certs/

on the server ELK

Here is the configuration file /etc/logstash/conf.d/logstash.conf on the server monitoring.example.com :

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/elk-certs/monitoring-example-com.crt"]
    ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt"
    ssl_key => "/etc/elk-certs/monitoring-example-com.key"
    ssl_verify_mode => "force_peer"
  }
}
output {
  elasticsearch {
    hosts => ["localhost:9200"]
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
  }
}

Restart Logstash

$ sudo systemctl restart logstash

on the server client

Here is the configuration file /etc/filebeat/filebeat.yml on the server www.example.com :

#----------------------------- Logstash output --------------------------------
output.logstash:
  # The Logstash hosts
  hosts: ["monitoring.example.com:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"

  # Client Certificate Key
  ssl.key: "/etc/elk-certs/monitoring-example-com.key"

Restart Filebeat

$ sudo systemctl restart filebeat

PROBLEM

$ curl -v --cacert /etc/elk-certs/monitoring-revolutime-com.crt https://monitoring.example.com:5044

* Rebuilt URL to: https://monitoring.example.com:5044/
*   Trying 2001:42d0:301:1000::1b37...
* TCP_NODELAY set
*   Trying 11.11.111.111...
* TCP_NODELAY set
* Connected to monitoring.example.com (11.11.111.111) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/elk-certs/monitoring-example-com.crt
  CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure

Currently Logstash does not receive any data from Filebeat.

https://pastebin.com/4g1N0LD2

thiago · May 11, 2019, 9:48am

You can generate certificates using the certutil tool that comes bundled with Elasticsearch.

Also, if you only seek secure connection between FB => LS then you probably don't really need client certificates in your filebeat.yml so remove ssl.certificate and ssl.key and keep only ssl.certificate_authorities.

zenimagine · May 11, 2019, 12:23pm

This tool is paid or free ?

thiago · May 11, 2019, 12:26pm

This is released under Basic license, which is free

zenimagine · May 11, 2019, 12:44pm

Thank you, I am not familiar with the Ubuntu command. In my case what would be the entry command ? Where are the certificates stored ?
There are no blog posts on this topic.

thiago · May 11, 2019, 12:49pm

The tool should work in any linux distro with a supported JVM installed. Just follow the procedure to generate as if you were generating certificates for an Elasticsearch node, but use the generated certificate files with Logstash and Filebeat instead as it will work just fine.

The referred documentation contains all that is needed for generating the certificates. If you don't feel comfortable with that, then you should be able to use openssl instead, if you prefer.

zenimagine · May 11, 2019, 12:53pm

I have tried OpenSSL several times and it does not work.

thiago · May 11, 2019, 12:55pm

So give the certutil a try, it should be easier to use.

zenimagine · May 11, 2019, 5:48pm

Is this article still relevant? Is this the right method ?

zenimagine · May 11, 2019, 6:10pm

When you say that X-pack is free, it's not open source? Are the features on this page free? Thank you

https://www.elastic.co/fr/products/stack/security

thiago · May 11, 2019, 6:11pm

Please, read this blog post for more information https://www.elastic.co/products/x-pack/open

zenimagine · May 12, 2019, 12:35am

I updated my question

zenimagine · May 14, 2019, 4:14pm

It annoys me I will uninstall ELK and test Graylog. This is the fighter's journey to set up SSL between ELK and Logstash.

system · June 11, 2019, 4:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Is it possible Mutual authentication between Logstash and Beats Beats	7	1864	January 5, 2020
Debug Errors while setting up SSL communication between Filebeat and Logstash Beats filebeat	7	7158	December 15, 2017
Filebeat cannot connect to Logstash using ssl. curl: (35) TCP connection reset by peer Beats filebeat	3	1655	January 14, 2020
SSL between Filebeat and Logstash which is on SAME SERVER Beats filebeat	2	856	July 25, 2019
Filebeat encrypted communication to Logstash Beats	3	369	July 31, 2020

How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server?

Related topics