We currently use winlogbeats on a WEF server, logstash behind a firewall with allow rules for the source of the WEF server, using SSL on top of that.
We need to plan for a more mobile workforce without vpn back to the WEF server.
Exposing logstash to the outside isn't something I feel great about, certificate authentication seems as though it will be a headache to manage with expiry etc.
I add a field using the processor with an ID so I could drop all events without an ID which would help with rogue data coming in.
It looks as though kafka could accept a username and password which may tick the box to better secure winlogbeats to logstash.
Reaching out for any recommendations/suggestions.