Winlogbeat to Logstash over SSL

Good day,

Can someone assist me with a secure connection from my beats to my logstash instances.

Thanks.

Hello Mark, welcome to the hood :slight_smile:

Have you tried following the Elastic documentation for the same: Secure communication with Logstash | Winlogbeat Reference [8.5] | Elastic ?

Also you have older blog here

Hi Gents,

Thanks for the response I tried both of these, still no luck. Runnning version 8.5.

For now I'm sending logs directly from my vpn connections to my elasticsearch instances. But this is not recommended for me as we do have external clients coming up.

My problem comes in with the creation of the beats to logstash. Logstash to elasticsearch I'm using the .pem file. There is not alot of information regarding the process of creating the correct certs and format for the beats to logstash.

@Mark_Marais Its hard to say anything without looking at the configurations, manifests and logs, can you please share them for better understanding what exactly you're trying out ?

You need pcks8 format in input conf

openssl pkcs8 -in config/certs/logstash.key -topk8 -nocrypt -out config/certs/logstash.pkcs8.key

input {
  beats {
    port => 5044
    ssl => true
    ssl_key => '/etc/logstash/config/certs/logstash.pkcs8.key'
    ssl_certificate => '/etc/logstash/config/certs/logstash.crt'
  }
}

Thanks Rios. I tried converting it but seems to reject my communication still.

Image uploaded is the current winlogbeat sending directly to my elasticsearch instances, using the elasticsearch-ca.pem certificate.

image

This will be one of my elasticsearch.yml config files.


And this will be my config for logstash that is not working at the moment you will see I commented out the ssl part for input.

What I'm trying to achieve is pushing my winlogbeats events through to my logstash nodes - using ofcourse a DNS name that is linked to my public ip. My main concern is how and which certs should i use for the communication from beats to logstash and then logstash to elasticsearch. Another thing is I don't want the logstash events to corrupt any of my current index or indicies that is currently working.

Thanks once again for your time guys.

No response... sigh please guys

Try with:

output.elasticsearch:
  ssl:
    enabled: true
    client_authentication: required
    certificate_authorities: [path/to/ca/certificate]

The issue is not with the output to elasticsearch. The problem is what certificates should i use for beats to logstash. Can i use the cergen tool?

You can use elasticsearch-certutil which is bundled along with elasticsearch and is available in /bin folder. You can either generate P12 certificates and use them or use SAN based ca/instance/key certificates. Documentation is available here: elasticsearch-certutil | Elasticsearch Guide [8.6] | Elastic

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.