Elastic (ELK) Stack Security - Filebeat Logstash SSL Mutual Authentication Example
Video
This tutorial is explained in the below Youtube Video.
Previously we have secured elasticsearch instance with username and password and also configured SSL, TLS, and HTTPS for it. However it is not possible to secure logstash and filebeat using credentials. Elasticsearch does not provide that option. In this tutorial we will be securing the connection between logstash and filebeat by implementing ssl authentication using certificates. For this tutorial we will be making use of the latest elasticsearch version which is Elasticsearch 8.
Implementation
For the Logstash and Filebeat mutual authentication we will be needing the following certificates --
ca.crt (Certificate Authority):
This file contains the public certificate of the trusted Certificate Authority (CA) that issued the server (Logstash) and client (Filebeat) certificates.
Both Filebeat and Logstash use this CA certificate to verify the authenticity of each other's certificates during the TLS handshake.
The CA certificate serves as a trusted root, and all certificates signed by this CA are considered valid and trusted. -
elk.crt (Public Server Certificate):
This file contains the public certificate.
During the TLS handshake, Logstash and Filebeat present this certificate to authenticate their identity to each other.
The CA certificate (ca.crt) is used to verify the validity and authenticity of the elk.crt server certificate. -
elk.key (Private Key):
This file contains the private key corresponding to the elk.crt server certificate.
The private key is used to prove its ownership of the elk.crt certificate during the TLS handshake.
Private key is used to encrypt a part of the TLS handshake data, which can then be decrypt using the public key from the elk.crt certificate.

-
Filebeat Initiates Connection:
Filebeat initiates a connection to Logstash on localhost:5044 over an encrypted SSL/TLS channel. During the TLS handshake, Filebeat sends its client certificate elk.crt to Logstash. -
Logstash Verifies Filebeat's Certificate:
Logstash receives Filebeat's client certificate. Logstash uses the trusted CA certificate - ca.crt to validate the authenticity of Filebeat's client certificate. If the validation is successful, Logstash trusts that the client (Filebeat) is authentic. -
Logstash Authenticates Itself to Filebeat:
Logstash sends its server certificate elk.crt to Filebeat. -
Filebeat Verifies Logstash's Certificate:
Filebeat receives Logstash's server certificate. Filebeat uses the trusted CA certificate - ca.crt to validate the authenticity of Logstash's server certificate. If the validation is successful, Filebeat trusts that the server (Logstash) is authentic. -
Secure Communication Established:
Filebeat and Logstash then encrypt the data using the elk.key as part of the TLS handshake. This encrytped data can be decrypted using public elk.crt Filebeat can now start sending log data to Logstash over this secure channel.