googleelk

Connect remotely to Logstash using SSL certificates

It is strongly recommended to create an SSL certificate and key pair in order to verify the identity of ELK Server. In this example, we are going to use Filebeat to ship logs from our client servers to our ELK server:

  • Add the ELK Server’s private IP address to the subjectAltName (SAN) field of the SSL certificate on the ELK server. To do so, open the OpenSSL configuration file (/opt/bitnami/common/openssl/openssl.cnf), find the [ v3_ca ] section in the file, and add this line under it (substitute in the ELK server’s private IP address for the IP_ADDRESS placeholder):

    subjectAltName = IP: IP_ADDRESS
    
  • Generate the SSL certificate and private key in the appropriate locations (e.g. /opt/bitnami/logstash/ssl/), with the following commands:

    $ cd /opt/bitnami/logstash/ssl/
    $ openssl req -config /opt/bitnami/common/openssl/openssl.cnf -x509 -days 3650 -batch -nodes -newkey rsa:2048 -keyout logstash-remote.key -out logstash-remote.crt
    
  • Configure Logstash (/opt/bitnami/logstash/conf/) to add SSL certificates for the input protocol. The code below will add SSL certificates for the Beats plugin:

    input {
      beats {
        port => 5044
        ssl => true
        ssl_certificate => "/opt/bitnami/logstash/ssl/logstash-remote.crt"
        ssl_key => "/opt/bitnami/logstash/ssl/logstash-remote.key"
      }
    }
    
  • Restart Logstash:

    $ sudo /opt/bitnami/ctlscript.sh restart logstash
    
  • Open port 5044 in the ELK server firewall

  • The logstash-remote.crt file should be copied to all the client instances that send logs to Logstash.

  • Install Filebeat in the client machine. For example, the commands below will install Filebeat:

    $ echo “deb https://packages.elastic.co/beats/apt stable main” | sudo tee -a /etc/apt/sources.list.d/beats.list $ wget -qO - https://packages.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -

    • Debian:

      $ sudo apt-get update $ sudo apt-get install filebeat

    • CentOS:

      $ sudo yum install filebeat

  • Configure Filebeat. In this example, we need to add the lines below in the filebeat configuration file (by default /etc/filebeat/filebeat.yml) to send syslog logs:

    filebeat:
      prospectors:
        -
          paths:
            - /var/log/auth.log
            - /var/log/syslog
            #  - /var/log/*.log
    ...
          document_type: syslog
    ...
    output:
      logstash:
        hosts: ["elk_server_private_ip:5044"]
        bulk_max_size: 1024
    ...
        tls:
          certificate_authorities: ["<logstash-remote.crt_path>"]
    ...
    
  • Restart Filebeat service:

    • Debian:

      $ sudo service filebeat restart

    • CentOS:

      $ sudo systemctl restart filebeat