Setting up SSL for Filebeat and Logstash
If you are running Wazuh server and Elastic Stack on separate systems and servers (distributed architecture), it is important to configure SSL encryption between Filebeat and Logstash. (This does not apply to single-server architectures.)
Note
Many of the commands described below need to be executed with root user privileges.
Generating a self-signed SSL certificate
Generate an SSL certificate and key as follows:
On the machine with Logstash server installed, create a copy of the OpenSSL sample configuration file. The file location may vary depending on your operating system:
On Debian or Ubuntu:
# cp /etc/ssl/openssl.cnf custom_openssl.cnf
On CentOS or Red Hat:
# cp /etc/pki/tls/openssl.cnf custom_openssl.cnf
Note
Typically you will run the Logstash server in your Elastic Stack server or, if you have set up a distributed Elasticsearch cluster, in one of its nodes.
Edit the custom configuration file,
custom_openssl.cnf
:Find the section
[ v3_ca ]
and add a line like the one below that includes your Elastic server's IP address:[ v3_ca ] subjectAltName = IP: YOUR_SERVER_IP
For example:
[ v3_ca ] subjectAltName = IP: 192.168.1.2
Generate the SSL certificate and key:
# openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf
You may remove the custom configuration file:
# rm custom_openssl.cnf
Configure Logstash server
The newly generated SSL certificate and key will be found at /etc/logstash/logstash.crt
and /etc/logstash/logstash.key
, respectively. Next, configure Logstash to use this new key for communication with Filebeat.
Edit the file
/etc/logstash/conf.d/01-wazuh.conf
and uncomment the lines related to SSL underinput/beats
. The active input section should now look like this:input { beats { port => 5000 codec => "json_lines" ssl => true ssl_certificate => "/etc/logstash/logstash.crt" ssl_key => "/etc/logstash/logstash.key" } }
Restart Logstash. The command depends on the OS init system:
For Systemd:
# systemctl restart logstash.service
For legacy SysV Init:
# service logstash restart
Configure Filebeat
Configure Filebeat to verify the Logstash server's certificate.
On the machine with Filebeat installed (the Wazuh server), fetch the Logstash server's SSL certificate file at
/etc/logstash/logstash.crt
and copy it into/etc/filebeat/logstash.crt
.Here is an example that can be used to copy the SSL certificate from the Logstash server to the Wazuh server where Filebeat is installed:
# scp root@LOGSTASH_SERVER_IP:/etc/logstash/logstash.crt /etc/filebeat
Edit the file
/etc/filebeat/filebeat.yml
and uncomment the lines related to SSL inside oflogstash
. The file should look like this:output: logstash: hosts: ["192.168.1.2:5000"] ssl: certificate_authorities: ["/etc/filebeat/logstash.crt"]
Restart Filebeat. The command depends on the OS init system:
For Systemd:
# systemctl restart filebeat.service
For legacy SysV Init:
# service filebeat restart
Note
More detailed information is available in the Securing communication with Logstash guide from Elastic.