Certificate SSL with logstash input

Hi all

I have a product with inside ELK with SG compliance edition.

I’d like to create certificates to set the filebeat output and logstash input with secure comunication.

Do you give me an how to? Could I setup the certificate. I have the root-ca used for internal exchange from elasticsearch nodes (transport and rest).

I’d like to do this configuration

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/ca.crt"]
    ssl_certificate => "/etc/server.crt"
    ssl_key => "/etc/server.key"
    ssl_verify_mode => "force_peer"

and I’d like to verify my configuration with this

curl -v --cacert ca.crt https://logs.mycompany.com:5044

If the test is successful, you’ll receive an empty response error:

GET / HTTP/1.1
Host: logs.mycompany.com:5044
User-Agent: curl/7.43.0
Accept: /

  • Empty reply from server
  • Connection #0 to host logs.mycompany.com left intact
    curl: (52) Empty reply from server

Not sure if I get the question here.

Is it about secure communication between filebeat and logstash? That would not be Search Guard related and I suggest to have a look into the filebeat and logstash configuration documentation. You can of course use the ca you used for Search Guard to create certificates for filebeat and logstash.

Thank you @hsaly.

I read the link

And I made the certificate using root-ca create by SG.

When I test the configuration with the command I have

curl -v --cacert ca.crt https://logs.mycompany.com:5044

I have error on the CA. Do you have documentation to create the client certificate for filebeat and server certificate for logstash. Both components are in the Elastic Stack and they must comunicate with Elasticsearch in secure mode.

Thank you

Not sure if this is the correct way to test it because service on 5044 might not be http(s).
Can you try with openssl s_client -connect ... (see https://www.openssl.org/docs/man1.0.2/man1/openssl-s_client.html)

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.