What is the point of adding the ca_trusted_fingerprint parameter to an logstash-output-elasticsearch section in an output filter? Is it purely to defend against a possible attack on DNS servers? Misconfiguration of the ES hosts?
If your Elasticsearch is listening on with TLS, on HTTPS, and the CA used to sign the certificate is not a trusted CA, like a self-generated CA that you used, then you need to pass the CA in logstash so it can trust the Elasticsearch Certificate.
This can be done in two ways, one is using the cacert option, the other is using the ca_trusted_fingerprint, but this option only works on Logstash 8.3+
This is explained in the documentation
The SHA-256 fingerprint of an SSL Certificate Authority to trust, such as the autogenerated self-signed CA for an Elasticsearch cluster.
2 Likes
Thanks. So in our case, where we run ELK on-premise and have an internal CA organisation that issues all our certificates, using the fingerprint feature is like using both belt and suspenders? It does not gain us any additional security?
Same effect, security and outcome just 2 different implementations... Using both provides no additional security.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.