CyberKeeda In Social Media

ELK Stack - LogStash and Filebeat with SSL

ELK Stack all together can manage and parse huge amount of log data, that can be used further for analytical, troubleshooting , central monitoring and alarming purposes using it's efficient GUI.

In this tutorial we will see, how to use SSL while transferring data from Beat client and Logstash log aggregator, you can follow the entire setup of ELK Stack published on my previous post of "How to install ELK Stack"

We will cover only the additional setup required for SSL for logstash and filebeat, lets begin with Logstatsh server.

Connect to Logstatsh Server and toggle to logstash root directory.
Create a SSL directly within it.
$ sudo cd /etc/logstash/

$ sudo mkdir SSL; cd SSL

Now we will generate SSL certificates to use it further, run the below commands to generate SSL.
* Replace demo-elk-server by the name FQDN of your host, where logstatsh has been installed.
$ sudo openssl req -subj '/CN=demo-elk-server/' -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout ssl/logstash-forwarder.key -out ssl/logstash-forwarder.crt
Edit the filebeat input configuration file, that has been created to receive incoming logs from filebeat agents installed on clients.

My config file is named as filebeat-input.conf placed within directory /etc/logstatsh/conf.d/

Add the additional SSL keys path within config and save the file.
vim /etc/logstatsh/conf.d/filebeat-input.conf
input {
  beats {
    port => 5443
    type => syslog
    ssl => true
    ssl_certificate => "/etc/logstash/ssl/logstash-forwarder.crt"
    ssl_key => "/etc/logstash/ssl/logstash-forwarder.key"
  }
}
We have to restart logstash service to reflect the changes.
And now we are done with the Logstash part, now let's move down to clients for filebeat ssl configuration.

Let's edit the filebeat.yml file for it and append the additional SSL lines along with server certificate path and save it.

vim /etc/filebeat/filebeat.yml
output.logstash:
  # The Logstash hosts
  hosts: ["elk-server:5443"]
  ssl.certificate_authorities: ["/etc/filebeat/logstash-forwarder.crt"]
Now we have to copy the certificate "logstatsh-forwarder.crt" from logstatsh server and place it to directory /etc/filebeat/

Either SCP the file or create a new file named as logstatsh-forwarder.crt and copy paste the content of cert file to our newly created file within filebeat client configuration folder.

We have to restart logstash service to reflect the changes.

So we are done with the SSL config, incase if you face any difficulties do comment on the post.

No comments:

Post a Comment

Designed By Jackuna