SSL filebeat to logstash with filebeat loadbalance

[Felipe Andres Concha Sepúlveda]

Hello, 

I am setting the filebeat to logstash communication with SSL, but in the documentation the examples are focused on filebeat that send information only to one logstash, that is without loadbalance: true

To configure SSL when I have loadbalance: true I have to do the following?

Generate the first key and certificate in the first logstash server

KEY_ONE      openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf

Generate the second key and certificate in the second logstash server

KEY_TWO openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash2.key -out /etc/logstash/logstash2.crt -config custom_openssl.cnf

In the machine with filebeat:

Copy the certificate from the logstash first server to filebeat

scp root@LOGSTASH_SERVER_IP:/etc/logstash/logstash.crt /etc/filebeat

Copy the certificate from the logstash second server to filebeat

scp root@LOGSTASH_SERVER_IP2:/etc/logstash/logstash2.crt /etc/filebeat

Then configure my Filebeat as follows?

output:
 logstash:
   hosts: ["192.168.2.204:5000”, "192.168.2.205:5000”]

   ssl:
     certificate_authorities: ["/etc/filebeat/logstash.crt”, "/etc/filebeat/logstash2.crt"]

My current filebeat file have the following:

[jesus.g...@wazuh.com]

Hello Felipe,

Ok so we have two Logstash instances and one Filebeat instance which will send data using ssl to our Logstash instances.

The main idea behind this is to share the CA file (certificate authorities) but having different certificates. Each component has

its own certificate and its own key but all of them have a common CA file. 

Filebeat instance

output.logstash:
  hosts: ["logstash01","logstash02"]
  ssl.certificate_authorities: ["/etc/ca.crt"]
  ssl.certificate: "/etc/client.crt"
  ssl.key: "/etc/client.key"

- /etc/ca.crt is the CA file, it's generated only one time in one machine and copied to the three machines

- /etc/client.crt and /etc/client.key is generated in the Filebeat machine and they are used only by the Filebeat machine

Logstash instances

input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => ["/etc/ca.crt"]
    ssl_certificate => "/etc/server.crt"
    ssl_key => "/etc/server.key"
    ssl_verify_mode => "force_peer"
  }
}

This configuration will be the same in each Logstash instance but changing the files as I described below.

- /etc/ca.crt is the CA file and is the same in the three machines

- /etc/client.crt and /etc/client.key is generated in each Logstash machine, so each Logstash instance has its own client.crt and its own client.key

- force_peer is telling Logstash to close the connection if the incoming certificate from Filebeat is invalid against the CA file.

Finally, I suggest to read the next article https://www.elastic.co/guide/en/beats/filebeat/current/configuring-ssl-logstash.html where the Elastic guys talk

about securing Filebeat and Logstash, really well explained. As final note: review the ports from output/input connections on each configuration file.

I hope it helps Felipe!

Regards,

Jesús

[Felipe Andres Concha Sepúlveda]

Thank you Jesus for your answer, this procedure is different from the one that appears on the wazuh page https://documentation.wazuh.com/current/installation-guide/optional-configurations/elastic_ssl.html

Since the wazuh page the certificates are created only in the logstash instances and then the public key is copied to the filebeat instance.

I am going to analyze this second form

Thank you Jesus

Felipe

<PastedGraphic-2.png>

[jesus.g...@wazuh.com]

You are right Felipe,

The Wazuh team is going to improve the Elasticsearch SSL procedure, it must be explained in a better way.

Regards,

Jesús

El lunes, 23 de julio de 2018, 9:34:55 (UTC+2), Felipe Andres Concha Sepúlveda escribió:

Thank you Jesus for your answer, this procedure is different from the one that appears on the wazuh page https://documentation.wazuh.com/current/installation-guide/optional-configurations/elastic_ssl.html

Since the wazuh page the certificates are created only in the logstash instances and then the public key is copied to the filebeat instance.

I am going to analyze this second form

Thank you Jesus

Felipe

[Felipe Andres Concha Sepúlveda]

Jesus, I'm setting up this way, but I can not understand it well, do you have an example that you can provide me?

Regards,

Felipe

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/0e78d50e-b054-46a7-a8d7-6a4525e9911e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[jesus.g...@wazuh.com]

Long time from our last conversation Felipe! 

Ok so you need help struggling with SSL, let me know a bit more information of your problem. Let's dig into the problem.

Regards,

Jesús

Felipe

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

[Felipe Andres Concha Sepúlveda]

Thanks Jesus, my main question is if I have to copy the certificates from the logstash machine to the filebeat machine.

  or I have to generate new ones on the filebeat machine, if so, I do not see what to communicate

Example:

I generate these two certificates in the logstash machine in the following way 

openssl req -x509 -batch -nodes -days 3650 -newkey rsa: 2048 -keyout /etc/logstash/client.key -out /etc/logstash/client.crt -config custom_openssl.cnf

THE client.crt and cliente.key is the same certificate that server.crt and server.key

Regards

Felipe

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/cdee9f1d-392c-4942-ba3e-eef2c9fdeb51%40googlegroups.com.

[jesus.g...@wazuh.com]

Ok Felipe, 

I'm going to explain a bit detailed.

The file /etc/ca.crt is the CA file, it's generated only one time in one machine. This file will be the same in all the machines you are using.

Files /etc/client.crt and /etc/client.key are generated in each machine you are using. This means each Logstash has its own client.crt and its own client.key,

same for the Filebeat instance. 

I think now it's clearer, right? let me know if you are still misunderstanding the files issue.

Regards,

Jesús

Felipe

[Felipe Andres Concha Sepúlveda]

Thank you Jesus for the answer

Regards

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/5105f2be-1f02-4b92-9ca7-b6b56472c764%40googlegroups.com.