We are currently using Elastic Stack 6.2.4 (Elasticsearch, Logstash, Filebeat). In our setup we have two servers -
- Server A : This one has our publicly exposed applications for which we need to do log management. Filebeat is installed on this server and the events are forwarded to Server B (where other Elastic components are installed).
- Server B: Here Logstash and Elasticsearch are installed. Elasticsearch binds to localhost:9200 while Logstash binds to exposed network interface. Logstash has -
- Beats input plugin
- Some filters which does necessary logs transformation for our application logs
- Output plugin pointing to the local Elasticsearch instance
Now my concerns are as follows -
- How does Logstash, and its plugins like Input Beats Plugin ensure that they are not vulnerable to "Remote Code Execution" if some malicious payload is sent via Filebeat?
- Is it secure by design?
- If yes, then how?
- If no, then what measures does one need to take care?
- Is there any documentation online in this regard?
Sorry for multiple questions here but these seems quite important to me.