WinLogBeat - Windows Certificate Store

I'm experimenting with WinLogBeat, and would like to use certificate authentication on the connection to LogStash.

All of my clients have certificates in the windows certificate store. Is there a way to configure winlogbeat to use the certificate from the windows certificate store? Or would I have to export the certificate and key every so often to a location that winlogbeat can use?

Thank You

Hello,

I would suggest you to generate a Self Signed Certificate for this purpose only, for the Beat Client authentication with a certificate ; which is not the same as veryfing the SSL tunnel on the logtstash endpoint.
We do like this when configuring ADFS for example ...

The main issue if you don't go with a self Signed for the Client Authentication by certificate, is :

  • with a certificate signed by the same CA, any certificate signed by this CA can be used to authenticate on the logstash endpoint and send logs you don't want. So you don't really manage who can send logs to your endpoint.

When you use a self signed certificate only for the client auth ; you will deploy it with the private key on the beat clients you want... on windows you need to have the PEM file and the private Key - as p8 format unprotected - on every Beat client.

On the Logstash endpoint, you don't need the private key for the Client Auth ; just the Pem File of the Self Signed cert (so the public part).
However you need a Cert+ key if you configure the listening port in SSL on logstash.

It means :

  • 1 certificate + key , signed from you CA : logstash endpoint.
  • 1 self Signed Cert + key : for Client authentication.

An example will be better than my explanations.

logstashsrv_domain_local.pem : is the certificate of the logstash server, which is signed by my CA.
Beat_Agents_Auth.pem : is the self signed certificate used for the Client Beat Authentication.

Logstash input Config :

input {
    beats {
        host => "logstashsrv.domain.local"
        port => 5044
        ssl => true
        ssl_certificate => "D:/ELK/SSL/logstashsrv_domain_local.pem"
        ssl_key => "D:/ELK/SSL/logstashsrv_domain_local.pem_key.pk8"
        ssl_certificate_authorities => "D:/ELK/SSL/Beat_Agents_Auth.pem"
        ssl_verify_mode => "force_peer"
    }

}

Beat config :

output.logstash:
  # The Logstash hosts
  hosts: ["logstashsrv.domain.local:5044"]

  # Optional SSL. By default is off.
  # List of root certificates for HTTPS server verifications
  ssl.certificate_authorities: ["${path.home}/Chain_My_CA.pem"]
  ssl.certificate: "${path.home}/Beat_Agents_Auth.pem"
  ssl.key: "${path.home}/Beat_Agents_Auth_key.pk8"

For The beat agent (so Filebeat, winlogbeat etc...) , I put the 3 files inside the beat folder of the agent.
Then I can copy this stuff accross all my specific Windows Servers...

Note : If someone can get your key to auth on the logstash Endpoint, he can send undesired logs.
But this is the same stuff as using a CA signed certificate ...

Regards,
Luc

Luc, Thank you for the suggestion. My goal was to not have to worry about the creation, renewal and distribution (and potentially revocation) of the certificates at all, as windows takes care of that.
I will have to look and see what I can do to automate the process so that it can be automated for mass deployment

Thank You again
Frank

Hey,

The main problem, is that even a User certificate which is signed by your CA can authenticate to your logstash, and send crappy logs to your endpoint...
Edit : which means you don't really secure the authentication when you're using the same CA for your certificates (User/Services/Servers whatever).
Unless you dedicate a full CA for this, then it's simpler to go with a Self Signed, as we do with ADFS.

Yes , If you want to do so, you need to export the key and the pem file.
Be carefull, sometimes you cannot export the key - it depends of the template of your certificate, if you allow the key to be exported.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.