Hello,
I have an ELK stack secured in TLS.
Exchanges between nodes and with kibana are secure.
I have set up logstash to collect logs from the different equipments via the syslog protocol.
I have questions about the certificate part to secure the exchanges in output logstash to elasticsearch
but also if possible from the syslog equipment to logstash.
Here is my current configuration:
input {
tcp {
port => 5000
type => syslog
}
udp {
port => 5000
type => syslog
}
}
filter {
if [type] == "syslog" {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}])? %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
}
output {
elasticsearch {
hosts => ["https://192.168.1.30:9200", "https://192.168.1.40:9200", "https://192.168.1.50:9200"]
ssl => true
ssl_certificate_verification => true
keystore => /etc/logstash/certs/logstash1.p12
truststore => /etc/logstash/certs/logstash1.p12
api_key => "66GKX9GYT36ziqNjXv3vvw"
}
In output, which certificate(s) should be specified?
In keystore, the certificate of logstash or the one of elasticsearch ? of all nodes ?
I would also like to leave out the keystore_password and trustore_password parameters.
Is the solution as follows?
set +o history
export LOGSTASH_KEYSTORE_PASS=mypassword
set -o history
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create
Same for the trustore?
Thanks a lot for your help,