Is it possible Mutual authentication between Logstash and Beats

Hi community,

my question is very easy. Is it possible the Mutual authentication between Logstash and Beats. I can authenticate the server Logstash, but is there a way to authenticate the client?
I'd like to have different certificates for every beats node to solve many security incidents.

Regards,
Fedele

Yes it is possible. You need to refer to Beats Logstash configuration and Logstash Beats input configuration. Read optional SSL configuration parameters.

I used the following steps.

Logstash input part

    beats {
        port => 5044
        ssl => true
        ssl_certificate_authorities => ["/tmp/certs/ca.crt"]
        ssl_certificate => "/tmp/certs/logstash.crt"
        ssl_key => "/tmp/certs/logstash.pk8"
        ssl_verify_mode => "force_peer"
        tags => [ "syslog" ]
  }

Filebeat output part

output.logstash:
  # The Logstash hosts
  hosts: ["instance:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/tmp/certs/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/tmp/certs/filebeat.crt"

  # Client Certificate Key
  ssl.key: "/tmp/certs/filebeat.key"

Command for certificates:

# CA
$ /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --days 3650 -s

# Logstash cert
$  /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns istance

# Filebeat cert
$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns fake

This configuration works but Logstash doesn't authenticate the client.

Can you help me?

For Logstash Beats input plugin
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-ssl_verify_mode

set ssl_verify_mode to {force_peer}.

for Beats output
https://www.elastic.co/guide/en/beats/filebeat/6.6/configuration-ssl.html#_verification_mode
set verification_mode to {full}

When you say Logstash does not verify client, what is the error you get in Logstash log.

When you say Logstash does not verify client, what is the error you get in Logstash log.
I used 2 different certificates, with real and fake hostname and I could write in elasticsearch.
So maybe there is a problem in my configuration.
I'm using force_peer for logstash and verification_mode: full for beats, but It doesn't work.

Check logs in filebeat and logstash and see error for connecting.

I don't have any errors. The configuration with certificate with fake name for beat works.
This is my problem. I'd like that with fake certificate logstash rejects connection.

This topic was automatically closed after 28 days. New replies are no longer allowed.