Once you have copied the CA certificate to the remote host running filebeat, proceed to configure Filebeat-Logstash SSL/TLS communication. Configure Filebeat for Logstash SSL/TLS communicationĪssuming you have already installed Filebeat on a system you want to collect logs from, configure it for Logstash TLS communication as follows Ĭopy the CA certificate generated above to the remote remote system. If you see the line, Successfully started Logstash API endpoint, then you good to go.
In this setup, we install the certs/keys on the /etc/logstash directory cp $HOME/elk/ Next, copy the node certificate, $HOME/elk/elk.crt, and the Beats standard key, to the relevant configuration directory. Convert the Keys to Standard Elastic Beats PKCS#8 Key formatįor Beat to connect to Logstash via TLS, you need to convert the generated node key to the PKCS#8 standard required for the Elastic Beat – Logstash communication over TLS openssl pkcs8 -in $HOME/elk/elk.key -topk8 -nocrypt -out $HOME/elk/ Configure Filebeat-Logstash SSL/TLS Connection You should now have these files ls $HOME/ca/ -1 ca.crtīe sure to keep you private keys as secure as possible.
In the command below, we extract to my home directory. Read more about the elasticsearch-certutil tool on Elasticsearch reference page.Įxtract the certificate files to some directory.
Listing the contents of the archive file unzip -l $HOME/elk-cert.zip Archive: /root/elk-cert.zip The command will create the CA key and certificate, the node key and certificate archived in a $HOME/elk-cert.zip file which is valid for an year. usr/share/elasticsearch/bin/elasticsearch-certutil cert -keep-ca-key -pem -in $HOME/instances.yml -out $HOME/elk-cert.zip -days 365 Once that is done, run the command below to generate the ELK Stack TLS Certificates. To silently generate the node certificates, create an YAML file to define you nodes distinguished names (can be hostname) and the node FQDN in the format shown below vim $HOME/instances.yml instances: However, in this demo, since we are just running a single node Elastic Stack with all the components in place, then we will just generate the certificates for just this single node. With elasticsearch-certutil, it is possible to generate the certificates for a specific node or multiple nodes. In this demo, we will be creating TLS certificates using elasticsearch-certutil.Įlasticsearch-certutil is an Elastic Stack utility that simplifies the generation of X.509 certificates and certificate signing requests for use with SSL/TLS in the Elastic stack. Install and Configure Filebeat 7 on Ubuntu 18.04/Debian 9.8 Generate ELK Stack CA and Server Certificates Install Filebeat on Fedora 30/Fedora 29/CentOS 7 Install and Configure Filebeat on CentOS 8 Navigate to Amazon SQS -> Queues, and click Create queue.Deploy a Single Node Elastic Stack Cluster on Docker Containers Install and Setup Filebeatįollow the links below to install and setup Filebeat NOTE: This module requires that the user have a valid AWS service account, and credentials/permissions to access to the SQS queue we will be configuring. The official Elastic documentation for the Google Workspace module can be found here: Please follow the steps below to get started. In this brief walkthrough, we’ll use the aws module for Filebeat to ingest cloudtrail logs from Amazon Web Services into Security Onion.Ĭredit goes to Kaiyan Sheng and Elastic for having an excellent starting point on which to base this walkthrough.