Is it possible Mutual authentication between Logstash and Beats

Fedele_Mantuano · December 8, 2019, 4:10pm

Hi community,

my question is very easy. Is it possible the Mutual authentication between Logstash and Beats. I can authenticate the server Logstash, but is there a way to authenticate the client?
I'd like to have different certificates for every beats node to solve many security incidents.

Regards,
Fedele

Sunil_Chadha · December 8, 2019, 5:15pm

Yes it is possible. You need to refer to Beats Logstash configuration and Logstash Beats input configuration. Read optional SSL configuration parameters.

Fedele_Mantuano · December 8, 2019, 11:25pm

I used the following steps.

Logstash input part

    beats {
        port => 5044
        ssl => true
        ssl_certificate_authorities => ["/tmp/certs/ca.crt"]
        ssl_certificate => "/tmp/certs/logstash.crt"
        ssl_key => "/tmp/certs/logstash.pk8"
        ssl_verify_mode => "force_peer"
        tags => [ "syslog" ]
  }

Filebeat output part

output.logstash:
  # The Logstash hosts
  hosts: ["instance:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["/tmp/certs/ca.crt"]

  # Certificate for SSL client authentication
  ssl.certificate: "/tmp/certs/filebeat.crt"

  # Client Certificate Key
  ssl.key: "/tmp/certs/filebeat.key"

Command for certificates:

# CA
$ /usr/share/elasticsearch/bin/elasticsearch-certutil ca --pem --days 3650 -s

# Logstash cert
$  /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns istance

# Filebeat cert
$ /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-cert /root/certs/ca.crt --ca-key /root/certs/ca.key --days 3650 --pem --dns fake

This configuration works but Logstash doesn't authenticate the client.

Can you help me?

Sunil_Chadha · December 9, 2019, 9:38pm

For Logstash Beats input plugin
https://www.elastic.co/guide/en/logstash/current/plugins-inputs-beats.html#plugins-inputs-beats-ssl_verify_mode

set ssl_verify_mode to {force_peer}.

for Beats output
https://www.elastic.co/guide/en/beats/filebeat/6.6/configuration-ssl.html#_verification_mode
set verification_mode to {full}

When you say Logstash does not verify client, what is the error you get in Logstash log.

Fedele_Mantuano · December 9, 2019, 10:25pm

When you say Logstash does not verify client, what is the error you get in Logstash log.
I used 2 different certificates, with real and fake hostname and I could write in elasticsearch.
So maybe there is a problem in my configuration.
I'm using force_peer for logstash and verification_mode: full for beats, but It doesn't work.

Sunil_Chadha · December 9, 2019, 11:27pm

Check logs in filebeat and logstash and see error for connecting.

Fedele_Mantuano · December 10, 2019, 2:40pm

I don't have any errors. The configuration with certificate with fake name for beat works.
This is my problem. I'd like that with fake certificate logstash rejects connection.

Topic		Replies	Views
Logstash beat force_peer authentication doesn't check hostname info Logstash	3	489	May 25, 2020
How to Setup FileBeat with Basic Auth for LogStash Output? Beats filebeat	19	20789	July 5, 2017
Logstash does not accept SSL connections from beats Logstash	11	242	May 7, 2025
Logstash optional client cert authentication/validation Beats	1	495	March 31, 2018
Winlogbeat SSL Server auth only Beats winlogbeat	3	934	March 15, 2018

Is it possible Mutual authentication between Logstash and Beats

Related topics