Setting up SSL for Filebeat and Logstash

If you are running Wazuh server and Elastic Stack on separate systems and servers (distributed architecture), it is important to configure SSL encryption between Filebeat and Logstash. (This does not apply to single-server architectures.)

Note

Many of the commands described below need to be executed with root user privileges.

Generating a self-signed SSL certificate

  1. Generate an SSL certificate and key as follows:

    On the machine with Logstash server installed, create a copy of the OpenSSL sample configuration file. The file location may vary depending on your operating system:

    1. On Debian or Ubuntu:

      # cp /etc/ssl/openssl.cnf custom_openssl.cnf
      
    2. On CentOS or Red Hat:

      # cp /etc/pki/tls/openssl.cnf custom_openssl.cnf
      

Note

Typically you will run the Logstash server in your Elastic Stack server or, if you have set up a distributed Elasticsearch cluster, in one of its nodes.

  1. Edit the custom configuration file, custom_openssl.cnf:

    Find the section [ v3_ca ] and add a line like the one below that includes your Elastic server's IP address:

    [ v3_ca ]
    subjectAltName = IP: YOUR_SERVER_IP
    

    For example:

    [ v3_ca ]
    subjectAltName = IP: 192.168.1.2
    
  2. Generate the SSL certificate and key:

    # openssl req -x509 -batch -nodes -days 3650 -newkey rsa:2048 -keyout /etc/logstash/logstash.key -out /etc/logstash/logstash.crt -config custom_openssl.cnf
    
  3. You may remove the custom configuration file:

    # rm custom_openssl.cnf
    

Configure Logstash server

The newly generated SSL certificate and key will be found at /etc/logstash/logstash.crt and /etc/logstash/logstash.key, respectively. Next, configure Logstash to use this new key for communication with Filebeat.

  1. Edit the file /etc/logstash/conf.d/01-wazuh.conf and uncomment the lines related to SSL under input/beats. The active input section should now look like this:

    input {
        beats {
            port => 5000
            codec => "json_lines"
            ssl => true
            ssl_certificate => "/etc/logstash/logstash.crt"
            ssl_key => "/etc/logstash/logstash.key"
        }
    }
    
  2. Restart Logstash. The command depends on the OS init system:

    1. For Systemd:

      # systemctl restart logstash.service
      
    2. For legacy SysV Init:

      # service logstash restart
      

Configure Filebeat

Configure Filebeat to verify the Logstash server's certificate.

  1. On the machine with Filebeat installed (the Wazuh server), fetch the Logstash server's SSL certificate file at /etc/logstash/logstash.crt and copy it into /etc/filebeat/logstash.crt.

    Here is an example that can be used to copy the SSL certificate from the Logstash server to the Wazuh server where Filebeat is installed:

    # scp root@LOGSTASH_SERVER_IP:/etc/logstash/logstash.crt /etc/filebeat
    
  2. Edit the file /etc/filebeat/filebeat.yml and uncomment the lines related to SSL inside of logstash. The file should look like this:

    output:
     logstash:
       hosts: ["192.168.1.2:5000"]
       ssl:
         certificate_authorities: ["/etc/filebeat/logstash.crt"]
    
  3. Restart Filebeat. The command depends on the OS init system:

    1. For Systemd:

      # systemctl restart filebeat.service
      
    2. For legacy SysV Init:

      # service filebeat restart
      

Note

More detailed information is available in the Securing communication with Logstash guide from Elastic.