I'm experimenting with WinLogBeat, and would like to use certificate authentication on the connection to LogStash.
All of my clients have certificates in the windows certificate store. Is there a way to configure winlogbeat to use the certificate from the windows certificate store? Or would I have to export the certificate and key every so often to a location that winlogbeat can use?
I would suggest you to generate a Self Signed Certificate for this purpose only, for the Beat Client authentication with a certificate ; which is not the same as veryfing the SSL tunnel on the logtstash endpoint.
We do like this when configuring ADFS for example ...
The main issue if you don't go with a self Signed for the Client Authentication by certificate, is :
with a certificate signed by the same CA, any certificate signed by this CA can be used to authenticate on the logstash endpoint and send logs you don't want. So you don't really manage who can send logs to your endpoint.
When you use a self signed certificate only for the client auth ; you will deploy it with the private key on the beat clients you want... on windows you need to have the PEM file and the private Key - as p8 format unprotected - on every Beat client.
On the Logstash endpoint, you don't need the private key for the Client Auth ; just the Pem File of the Self Signed cert (so the public part).
However you need a Cert+ key if you configure the listening port in SSL on logstash.
It means :
1 certificate + key , signed from you CA : logstash endpoint.
1 self Signed Cert + key : for Client authentication.
An example will be better than my explanations.
logstashsrv_domain_local.pem : is the certificate of the logstash server, which is signed by my CA. Beat_Agents_Auth.pem : is the self signed certificate used for the Client Beat Authentication.
output.logstash:
# The Logstash hosts
hosts: ["logstashsrv.domain.local:5044"]
# Optional SSL. By default is off.
# List of root certificates for HTTPS server verifications
ssl.certificate_authorities: ["${path.home}/Chain_My_CA.pem"]
ssl.certificate: "${path.home}/Beat_Agents_Auth.pem"
ssl.key: "${path.home}/Beat_Agents_Auth_key.pk8"
For The beat agent (so Filebeat, winlogbeat etc...) , I put the 3 files inside the beat folder of the agent.
Then I can copy this stuff accross all my specific Windows Servers...
Note : If someone can get your key to auth on the logstash Endpoint, he can send undesired logs.
But this is the same stuff as using a CA signed certificate ...
Luc, Thank you for the suggestion. My goal was to not have to worry about the creation, renewal and distribution (and potentially revocation) of the certificates at all, as windows takes care of that.
I will have to look and see what I can do to automate the process so that it can be automated for mass deployment
The main problem, is that even a User certificate which is signed by your CA can authenticate to your logstash, and send crappy logs to your endpoint...
Edit : which means you don't really secure the authentication when you're using the same CA for your certificates (User/Services/Servers whatever).
Unless you dedicate a full CA for this, then it's simpler to go with a Self Signed, as we do with ADFS.
Yes , If you want to do so, you need to export the key and the pem file.
Be carefull, sometimes you cannot export the key - it depends of the template of your certificate, if you allow the key to be exported.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.