I am running Elasticsearch and Kibana stack 5.5.0 with Readonlyrest plugin on server side and Filebeat agent on client side. I have defined groups and users rules and everything works like a charm.
The only thing that I didn’t find out how to add it, is SSL encryption.
How can I protect data sent by Filebeat to Elasticsearch against sniffing with Readonlyrest plugin?
Thank you @sscarduzio
I tried to follow the documentation but I have a problem in metricbeat side.
First, I generated self signed .jks key for a my private network host server (elastic.lan) using keytool
and everything is working well when I tested it on browser or with curl command.
For metricbeat side, I extracted from .jks file the ceritficate and the key files using these commands
and copied them to my client server and edited metricbeat.yml
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["elastic.lan:9200"]
template.enabled: false
template.versions.2x.enabled: false
template.overwrite: false
username: "client"
password: "XXXXXXX"
protocol: "https"
ssl.enabled: true
ssl.certificate: "/etc/pki/tls/certs/cert.crt"
ssl.key: "/etc/pki/tls/certs/key.key"
Metricbeat was running but I get this error on log file
ERR Connecting error publishing events (retrying): Get https://elastic.lan:9200: x509: certificate signed by unknown authority
I know that I didn’t have a signed certificate from a certificate authority, is this the only problem or there is a messing up on my configuration ? If it is, how can I solve it ?
I have already found out how to create self signed certificate with certificate authority that I have made and created certificate/key for both server and client signed with the CA following this article [here]
(One Identity | Unified Identity Security).
So I created on server side
cacert.pem
servercert.pem
serverkey.pem
then I extracted from them the keystore file and for the client side I have
output.elasticsearch:
# Array of hosts to connect to.
hosts: ["elastic.lan:9200"]
template.enabled: false
template.versions.2x.enabled: false
template.overwrite: false
# Optional protocol and basic auth credentials.
username: "client"
password: "XXXXXX"
protocol: "https"
ssl.enabled: true
ssl.certificate_authorities: ["/etc/pki/tls/certs/cacert.pem"]
ssl.certificate: "/etc/pki/tls/certs/clientcert.pem"
ssl.key: "/etc/pki/tls/certs/clientkey.pem"
everything is working like a charm, metricbeat is sending metrics without any error but the problem now is with kibana it can’t access to elasticsearch any more.
I tried to add these lines in kibana.yml
plugin:elasticsearch@5.5.0 Unable to connect to Elasticsearch at https://localhost:9200.
When I try to comment https/ssl block in elasticsearch.yml and connect kibana to http://localhost:9200 it works and shows the latest metrics from metricbeat index but metricbeat stop from sending metrics because https/ssl block in elasticsearch was disabled. How can I run ssl encryption for both ES <=> metricbeat and ES <=> kibana sides ?
@Madou23 , please, can you specify what exactly you did when you found out how to create self signed certificate with certificate authority?
The link to balabit.com is no longer working and I am at loss how you created and configured certificates for both server and client.
You are doing exactly what I need to do, but I am failing constantly.