TLS Logstash

Hello,

I have an ELK stack secured in TLS.
Exchanges between nodes and with kibana are secure.
I have set up logstash to collect logs from the different equipments via the syslog protocol.
I have questions about the certificate part to secure the exchanges in output logstash to elasticsearch
but also if possible from the syslog equipment to logstash.

Here is my current configuration:

input {
  tcp {
    port => 5000
    type => syslog
  }
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}])? %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch {
    hosts => ["https://192.168.1.30:9200", "https://192.168.1.40:9200", "https://192.168.1.50:9200"]
    ssl => true
    ssl_certificate_verification => true
    keystore => /etc/logstash/certs/logstash1.p12
    truststore => /etc/logstash/certs/logstash1.p12
    api_key => "66GKX9GYT36ziqNjXv3vvw"

}

In output, which certificate(s) should be specified?
In keystore, the certificate of logstash or the one of elasticsearch ? of all nodes ?

I would also like to leave out the keystore_password and trustore_password parameters.
Is the solution as follows?

set +o history
export LOGSTASH_KEYSTORE_PASS=mypassword
set -o history
sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash create

Same for the trustore?

Thanks a lot for your help,

to define the passwords of the keystore and of the variables indicated in the output

set +o history
export LOGSTASH_KEYSTORE_PASS=password
set -o history
bin/logstash-keystore create --path.settings /etc/logstash
chown logstash:root /etc/logstash/logstash.keystore ;  chmod 0600 /etc/logstash/logstash.keystore
output {
  elasticsearch {
    hosts => ["https://192.168.1.30:9200", "https://192.168.1.40:9200", "https://192.168.1.50:9200"]
    ssl => true
    ssl_certificate_verification => true
    keystore => /etc/logstash/certs/logstash1.p12
    keystore_password => "${KEY_PWD}"
    truststore => /etc/logstash/certs/logstash1.p12
    truststore_password => "${TRUST_PWD}"
    api_key => "66GKX9GYT36ziqNjXv3vvw"

}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.