Is it possible Mutual authentication between Logstash and Beats

Fedele_Mantuano · December 8, 2019, 4:10pm

Hi community,

my question is very easy. Is it possible the Mutual authentication between Logstash and Beats. I can authenticate the server Logstash, but is there a way to authenticate the client?
I'd like to have different certificates for every beats node to solve many security incidents.

Regards,
Fedele

Sunil_Chadha · December 8, 2019, 5:15pm

Yes it is possible. You need to refer to Beats Logstash configuration and Logstash Beats input configuration. Read optional SSL configuration parameters.

Fedele_Mantuano · December 8, 2019, 11:25pm

I used the following steps.

Logstash input part

    beats {
        port => 5044
        ssl => true
        ssl_certificate_authorities => ["/tmp/certs/ca.crt"]
        ssl_certificate => "/tmp/certs/logstash.crt"
        ssl_key => "/tmp/certs/logstash.pk8"
        ssl_verify_mode => "force_peer"
        tags => [ "syslog" ]
  }

Filebeat output part

output.logstash:
  # The Logstash hosts
  hosts: ["instance:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/tmp/certs/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/tmp/certs/filebeat.crt"

  # Client Certificate Key
  ssl.key: "/tmp/certs/filebeat.key"

Command for certificates:

# CA
$ /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --days 3650 -s

# Logstash cert
$  /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns istance

# Filebeat cert
$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns fake

This configuration works but Logstash doesn't authenticate the client.

Can you help me?

Sunil_Chadha · December 9, 2019, 9:38pm

For Logstash Beats input plugin
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-ssl_verify_mode

set ssl_verify_mode to {force_peer}.

for Beats output
https://www.elastic.co/guide/en/beats/filebeat/6.6/configuration-ssl.html#_verification_mode
set verification_mode to {full}

When you say Logstash does not verify client, what is the error you get in Logstash log.

Fedele_Mantuano · December 9, 2019, 10:25pm

When you say Logstash does not verify client, what is the error you get in Logstash log.
I used 2 different certificates, with real and fake hostname and I could write in elasticsearch.
So maybe there is a problem in my configuration.
I'm using force_peer for logstash and verification_mode: full for beats, but It doesn't work.

Sunil_Chadha · December 9, 2019, 11:27pm

Check logs in filebeat and logstash and see error for connecting.

Fedele_Mantuano · December 10, 2019, 2:40pm

I don't have any errors. The configuration with certificate with fake name for beat works.
This is my problem. I'd like that with fake certificate logstash rejects connection.

system · January 5, 2020, 4:10pm

This topic was automatically closed after 28 days. New replies are no longer allowed.