Securing communications between Beats and Elasticsearch


(Mohamed Salih) #1

I have been trying to do this for while now.

I have my Elasticsearch cluster with X-Pack on it. I am receiving logs from multiple Beats from multiple other servers to my cluster.

Is there a way to encrypt that traffic from Beats to my ES cluster?


(Ioannis Kakavas) #2

Hi,

Yes, you can use TLS. For instance you can take a look at how you can setup filebeat to send to Elasticsearch or Logstash over TLS or here for configuring packetbeat to talk to Elasticsearch over TLS

These should be enough to get you started, but feel free to come back with more specific questions and a little more detail on your setup/architecture if you have any specific issues down the line.


(Mohamed Salih) #3

I've been using X-Pack to generate certificates for the clusters. would I have to generate my own certificate for the servers that have Beats but no X-Pack?

And if so, will a self signed certificate work?


(Ioannis Kakavas) #4

If you want to enable TLS client authentication for filebeat , you would need to generate a key and a certificate that is trusted by the CA that you're using for your Elasticsearch cluster. So

  • using the same tooling ( I assume you use certutil when you say using X-Pack to generate certificates ) would be the easiest way and
  • no, self signed certificates will not work for TLS client authentication[1] . They have to be signed by a CA that Elasticsearch nodes trust.

Please go through our documentation, I believe it's detailed enough and will help you get an idea of what is required. If you have any issues with any specific point, please say so and let us also know how it specifically relates to the architecture you are using/want to use.

[1] Theoretically, you could use self-signed certificates and add the certificates themselves in the list of CAs that your Elasticsearch nodes trust, but that;s hardly ever a good solution.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.