Certificate SSL with logstash input

franco.federico · November 28, 2019, 9:21am

Hi all

I have a product with inside ELK with SG compliance edition.

I’d like to create certificates to set the filebeat output and logstash input with secure comunication.

Do you give me an how to? Could I setup the certificate. I have the root-ca used for internal exchange from elasticsearch nodes (transport and rest).

I’d like to do this configuration

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/ca.crt"]
    ssl_certificate => "/etc/server.crt"
    ssl_key => "/etc/server.key"
    ssl_verify_mode => "force_peer"
  }
}

and I’d like to verify my configuration with this

curl -v --cacert ca.crt https://logs.mycompany.com:5044

If the test is successful, you’ll receive an empty response error:

Rebuilt URL to: https://logs.mycompany.com:5044/
Trying 192.168.99.100…
Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
Server certificate: logs.mycompany.com
Server certificate: mycompany.com

GET / HTTP/1.1
Host: logs.mycompany.com:5044
User-Agent: curl/7.43.0
Accept: /

Empty reply from server
Connection #0 to host logs.mycompany.com left intact
curl: (52) Empty reply from server

hsaly · December 4, 2019, 10:59am

Not sure if I get the question here.

Is it about secure communication between filebeat and logstash? That would not be Search Guard related and I suggest to have a look into the filebeat and logstash configuration documentation. You can of course use the ca you used for Search Guard to create certificates for filebeat and logstash.

franco.federico · December 4, 2019, 11:54am

Thank you @hsaly.

I read the link

And I made the certificate using root-ca create by SG.

When I test the configuration with the command I have

curl -v --cacert ca.crt https://logs.mycompany.com:5044

I have error on the CA. Do you have documentation to create the client certificate for filebeat and server certificate for logstash. Both components are in the Elastic Stack and they must comunicate with Elasticsearch in secure mode.

Thank you
Franco

hsaly · December 4, 2019, 2:53pm

Not sure if this is the correct way to test it because service on 5044 might not be http(s).
Can you try with openssl s_client -connect ... (see /docs/man1.0.2/man1/openssl-s_client.html)

system · December 25, 2019, 2:53pm

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Beats configuration for using SSL Search Guard	7	860	March 19, 2018
Certificate issue while installing filebeat Search Guard	6	3815	April 5, 2019
How Search Guard works with Beat (without Logstash) ? Search Guard	2	645	February 7, 2019
Certificate question Search Guard	3	375	November 15, 2016
Logstash is not able to input data to elasticsearch Search Guard	2	1877	April 19, 2018

Certificate SSL with logstash input

Related Topics