Winlogbeat to Logstash over SSL

Mark_Marais · January 9, 2023, 7:44am

Good day,

Can someone assist me with a secure connection from my beats to my logstash instances.

Thanks.

Ayush_Mathur · January 9, 2023, 7:54am

Hello Mark, welcome to the hood

Have you tried following the Elastic documentation for the same: Secure communication with Logstash | Winlogbeat Reference [8.5] | Elastic ?

Rios · January 9, 2023, 7:59am

Also you have older blog here

Mark_Marais · January 10, 2023, 6:51am

Hi Gents,

Thanks for the response I tried both of these, still no luck. Runnning version 8.5.

For now I'm sending logs directly from my vpn connections to my elasticsearch instances. But this is not recommended for me as we do have external clients coming up.

Mark_Marais · January 10, 2023, 7:27am

My problem comes in with the creation of the beats to logstash. Logstash to elasticsearch I'm using the .pem file. There is not alot of information regarding the process of creating the correct certs and format for the beats to logstash.

Ayush_Mathur · January 10, 2023, 1:54pm

@Mark_Marais Its hard to say anything without looking at the configurations, manifests and logs, can you please share them for better understanding what exactly you're trying out ?

Rios · January 10, 2023, 2:11pm

You need pcks8 format in input conf

openssl pkcs8 -in config/certs/logstash.key -topk8 -nocrypt -out config/certs/logstash.pkcs8.key

input {
  beats {
    port => 5044
    ssl => true
    ssl_key => '/etc/logstash/config/certs/logstash.pkcs8.key'
    ssl_certificate => '/etc/logstash/config/certs/logstash.crt'
  }
}

Mark_Marais · January 11, 2023, 12:01pm

Thanks Rios. I tried converting it but seems to reject my communication still.

Image uploaded is the current winlogbeat sending directly to my elasticsearch instances, using the elasticsearch-ca.pem certificate.

This will be one of my elasticsearch.yml config files.

And this will be my config for logstash that is not working at the moment you will see I commented out the ssl part for input.

What I'm trying to achieve is pushing my winlogbeats events through to my logstash nodes - using ofcourse a DNS name that is linked to my public ip. My main concern is how and which certs should i use for the communication from beats to logstash and then logstash to elasticsearch. Another thing is I don't want the logstash events to corrupt any of my current index or indicies that is currently working.

Thanks once again for your time guys.

Mark_Marais · January 16, 2023, 8:17am

No response... sigh please guys

Ayush_Mathur · January 16, 2023, 9:18am

Try with:

output.elasticsearch:
  ssl:
    enabled: true
    client_authentication: required
    certificate_authorities: [path/to/ca/certificate]

Mark_Marais · January 16, 2023, 9:31am

The issue is not with the output to elasticsearch. The problem is what certificates should i use for beats to logstash. Can i use the cergen tool?

Ayush_Mathur · January 16, 2023, 1:56pm

You can use elasticsearch-certutil which is bundled along with elasticsearch and is available in /bin folder. You can either generate P12 certificates and use them or use SAN based ca/instance/key certificates. Documentation is available here: elasticsearch-certutil | Elasticsearch Guide [8.6] | Elastic

system · February 13, 2023, 1:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.