Logstash Input Plugins remote code execution code execution concerns

We are currently using Elastic Stack 6.2.4 (Elasticsearch, Logstash, Filebeat). In our setup we have two servers -

  • Server A : This one has our publicly exposed applications for which we need to do log management. Filebeat is installed on this server and the events are forwarded to Server B (where other Elastic components are installed).
  • Server B: Here Logstash and Elasticsearch are installed. Elasticsearch binds to localhost:9200 while Logstash binds to exposed network interface. Logstash has -
    • Beats input plugin
    • Some filters which does necessary logs transformation for our application logs
    • Output plugin pointing to the local Elasticsearch instance

Now my concerns are as follows -

  • How does Logstash, and its plugins like Input Beats Plugin ensure that they are not vulnerable to "Remote Code Execution" if some malicious payload is sent via Filebeat?
  • Is it secure by design?
    • If yes, then how?
    • If no, then what measures does one need to take care?
  • Is there any documentation online in this regard?

Sorry for multiple questions here but these seems quite important to me.

Can someone here help me with my above query?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.