I would suggest you to generate a Self Signed Certificate for this purpose only, for the Beat Client authentication with a certificate ; which is not the same as veryfing the SSL tunnel on the logtstash endpoint.
We do like this when configuring ADFS for example ...
The main issue if you don't go with a self Signed for the Client Authentication by certificate, is :
- with a certificate signed by the same CA, any certificate signed by this CA can be used to authenticate on the logstash endpoint and send logs you don't want. So you don't really manage who can send logs to your endpoint.
When you use a self signed certificate only for the client auth ; you will deploy it with the private key on the beat clients you want... on windows you need to have the PEM file and the private Key - as p8 format unprotected - on every Beat client.
On the Logstash endpoint, you don't need the private key for the Client Auth ; just the Pem File of the Self Signed cert (so the public part).
However you need a Cert+ key if you configure the listening port in SSL on logstash.
It means :
- 1 certificate + key , signed from you CA : logstash endpoint.
- 1 self Signed Cert + key : for Client authentication.
An example will be better than my explanations.
logstashsrv_domain_local.pem : is the certificate of the logstash server, which is signed by my CA.
Beat_Agents_Auth.pem : is the self signed certificate used for the Client Beat Authentication.
Logstash input Config :
host => "logstashsrv.domain.local"
port => 5044
ssl => true
ssl_certificate => "D:/ELK/SSL/logstashsrv_domain_local.pem"
ssl_key => "D:/ELK/SSL/logstashsrv_domain_local.pem_key.pk8"
ssl_certificate_authorities => "D:/ELK/SSL/Beat_Agents_Auth.pem"
ssl_verify_mode => "force_peer"
Beat config :
# The Logstash hosts
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
For The beat agent (so Filebeat, winlogbeat etc...) , I put the 3 files inside the beat folder of the agent.
Then I can copy this stuff accross all my specific Windows Servers...
Note : If someone can get your key to auth on the logstash Endpoint, he can send undesired logs.
But this is the same stuff as using a CA signed certificate ...