I didn't test this yet (there might be some subtle errors in examples). You will at least need most recent logstash-input-beats plugin (hopefully including the PR already) to configure client auth.
For client-auth you need to have some certificate authority (CA) to verify the clients certificate + enable authentication server side (as Server must request client for its certificate).
Set list of CAs in ssl_certificate_authorities
and enable server verification by setting ssl_verify_mode
to "force_peer"
(most strict option).
List of CAs must either include the self-signed certificate used by the client or better the root certificate used to sign the client certificate. Advantage of root certificate is, you have to configure logstash only once and can create/revoke client certificate any time (add more clients to network without updating logstash config).
On client side we need the actual certificate + key. In filebeat configure certificate
and certificate_key
.
For testing the config you can start with having logstash and filebeat running on same host (with same domain) and use same certificate for logstash and filebeat. But in production you will need separate certificates for both, logstash and filebeat.
Following this tutorial (assuming your are using the domain names + self-signed certificates without root CAs) check out the "Generate SSL Certificates" section and adapt:
$ sudo mkdir -p /etc/pki/tls/certs
$ sudo mkdir /etc/pki/tls/private
$ cd /etc/pki/tls
$ sudo openssl req -subj '/CN=<logstash-server-domain>/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/logstash.key -out certs/logstash.crt
$ sudo openssl req -subj '/CN=<filebeat-client-domain>/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout private/filebeat.key -out certs/filebeat.crt
The 02-beats-input.conf
must say:
input {
beats {
port => 5044
ssl => true # enable TLS/SSL
# configure logstash server certificate being presented to filebeat
ssl_certificate => "/etc/pki/tls/certs/logstash.crt"
ssl_key => "/etc/pki/tls/private/logstash.key"
# configure client auth + filebeat cert for validation
ssl_verify_mode => "force_peer",
ssl_certificate_authorities => ["/etc/pki/tls/certs/filebeat.crt"],
}
}
In filebeat.yml enable TLS + add certificate:
logstash:
tls:
# List of root certificates for server verifications
certificate_authorities: ["/etc/pki/tls/certs/logstash.crt"]
# client certificate + key for client auth (if requested by server)
certificate: "/etc/pki/tls/certs/filebeat.crt"
certificate_key: "/etc/pki/tls/private/filebeat.key"
NOTE: when copying certificates + key files only copy files required. Logstash does not require filebeat.key and filebeat does not require logstash.key.