I have 2 servers with Ubuntu 18.04:
- monitoring.example.com (with ELK on a single server)
- www.example.com (with Filebeat)
Here is the configuration file /etc/logstash/conf.d/logstash.conf
on the server monitoring.example.com :
input {
beats {
port => 5044
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Here is the configuration file /etc/filebeat/filebeat.yml
on the server www.example.com :
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["monitoring.example.com:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
#ssl.certificate_authorities: ["/etc/ca.crt"]
# Certificate for SSL client authentication
#ssl.certificate: "/etc/client.crt"
# Client Certificate Key
#ssl.key: "/etc/client.key"
Currently ELK works and receives the files from Filebeat. But the exchanges are not secure.
How to set up mutual SSL authentication between an ELK server (Logstash) and a remote Filebeat server ?
I found this documentation :
https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html
But how to create the certificates and on which server should you create them ?
UPDATE
on the server ELK
Create directories to store SSL certificates
$ sudo mkdir -p /etc/elk-certs
Generate SSL Certificates
$ sudo openssl req -subj '/CN=monitoring.example.com/' -x509 -days 3650 -batch -nodes -newkey rsa:4096 -keyout /etc/elk-certs/monitoring-example-com.key -out /etc/elk-certs/monitoring-example-com.crt
Change the owner
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.crt
$ sudo chown logstash /etc/elk-certs/monitoring-example-com.key
Send the SSL certificate to the client server
$ sudo scp /etc/elk-certs/monitoring-example-com.crt root@22.22.22.222:/tmp
$ sudo scp /etc/elk-certs/monitoring-example-com.key root@22.22.22.222:/tmp
on the server client
Create the directories to store the SSL certificate
$ sudo mkdir -p /etc/elk-certs
Copy the certificate into the directory
$ sudo mv /tmp/monitoring-example-com.crt /etc/elk-certs/
$ sudo mv /tmp/monitoring-example-com.key /etc/elk-certs/
on the server ELK
Here is the configuration file /etc/logstash/conf.d/logstash.conf
on the server monitoring.example.com :
input {
beats {
port => 5044
ssl => true
ssl_certificate_authorities => ["/etc/elk-certs/monitoring-example-com.crt"]
ssl_certificate => "/etc/elk-certs/monitoring-example-com.crt"
ssl_key => "/etc/elk-certs/monitoring-example-com.key"
ssl_verify_mode => "force_peer"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}
Restart Logstash
$ sudo systemctl restart logstash
on the server client
Here is the configuration file /etc/filebeat/filebeat.yml
on the server www.example.com :
#----------------------------- Logstash output --------------------------------
output.logstash:
# The Logstash hosts
hosts: ["monitoring.example.com:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["/etc/elk-certs/monitoring-example-com.crt"]
# Certificate for SSL client authentication
ssl.certificate: "/etc/elk-certs/monitoring-example-com.crt"
# Client Certificate Key
ssl.key: "/etc/elk-certs/monitoring-example-com.key"
Restart Filebeat
$ sudo systemctl restart filebeat
PROBLEM
$ curl -v --cacert /etc/elk-certs/monitoring-revolutime-com.crt https://monitoring.example.com:5044
* Rebuilt URL to: https://monitoring.example.com:5044/
* Trying 2001:42d0:301:1000::1b37...
* TCP_NODELAY set
* Trying 11.11.111.111...
* TCP_NODELAY set
* Connected to monitoring.example.com (11.11.111.111) port 5044 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/elk-certs/monitoring-example-com.crt
CApath: /etc/ssl/certs
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* stopped the pause stream!
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
Currently Logstash does not receive any data from Filebeat.