安全通信设置:使用 OpenSSL 为 Logstash 和 Filebeat 提供 SSL 证书

Elastic 中国社区官方博客2024-02-03 12:05

在为 Elasticsearch 采集数据时,我们经常使用到 Filebeat 及 Logstash。在我们之前的很多教程中,我们通常不为 Filebeat 和 Logstash 之前的通信做安全配置。

如何为 Filebeat 及 Logstash 直接建立安全的链接?这个在很多的情况下是非常有用的。在我之前的文章 "Elasticsearch:为日志分析设置安全的 Elasticsearch 管道",我有涉及到这个问题。最主要的是,它是针对 Elastic Stack 8.x 而设计的。在今天的文章中,我将针对最普通的情况来进行展示。

本指南提供了有关使用 OpenSSL 生成和配置 SSL 证书的详细说明,以增强 Logstash 和 Filebeat 之间通信的安全性。 概述的步骤包括为证书颁发机构 (CA) 生成私钥、为 CA 创建自签名 X509 证书以及为 Logstash 和 Filebeat 生成密钥和证书。 还包括使用这些证书的 Filebeat 和 Logstash 的配置步骤。

为 CA 生成私钥

复制代码 
# Generate a private key for the Certificate Authority (CA)
openssl genrsa 2048 > /path/to/your/ca-key.pem

$ pwd
/Users/liuxg/demos/filebeat_logstash
$ openssl genrsa 2048 > ca-key.pem
$ ls
ca-key.pem

为 CA 生成 X509 证书

复制代码 
# Generate a self-signed X509 certificate for the CA
openssl req -new -x509 -nodes -days 365000 \
    -key /path/to/your/ca-key.pem \
    -out /path/to/your/ca-cert.pem

openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem

$ pwd
/Users/liuxg/demos/filebeat_logstash
$ ls
ca-key.pem
$ openssl req -new -x509 -nodes -days 365000 -key ca-key.pem -out ca-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Elastic
Organizational Unit Name (eg, section) []:Community
Common Name (e.g. server FQDN or YOUR name) []:Xiaoguo
Email Address []:x@y.com
$ ls
ca-cert.pem ca-key.pem

为 Logstash 和 Filebeat 创建证书和密钥

复制代码 
# Generate a private key and certificate for Logstash and Filebeat using the CA
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout /path/to/your/server.key \
    -out /path/to/your/server.crt \
    -CA /path/to/your/ca-cert.pem \
    -CAkey /path/to/your/ca-key.pem

openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout ./server.key \
    -out ./server.crt \
    -CA ./ca-cert.pem \
    -CAkey ./ca-key.pem

$ pwd
/Users/liuxg/demos/filebeat_logstash
$ ls
ca-cert.pem ca-key.pem
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
>     -keyout ./server.key \
>     -out ./server.crt \
>     -CA ./ca-cert.pem \
>     -CAkey ./ca-key.pem
........+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+..+.+...+.........+..+.............+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+..........+.....+...+.........+.+..+......+.......+...............+..+...+.......+...+...+.....+......+......+.......+..+....+..+..........+..+......+......+.+..+.+..............+...+.......+..+...+.......+...+........+...+......+....+..+.......+.....+...............+......+................+......+...+......+.....+.+..+...+..........+........+................+...............+......+..+.+..+.........+...+.......+......+...+.....+.+...............+...+........+...+.........+...+.........+....+.....+.+........+...+.........+..........+......+..+.............+.....+....+...+..+.............+......+......+.........+..+...+....+...+............+...+..+.+......+.....+.+..+...+..................+.....................+....+..............+.+..+..........+..+...+....+...+......+.................+...+....+........+...+.+...........+..........+.....+...............+....+......+..............+...+......+......+...+.......+...+.....+...+.............+..+.......+.....+.+..+....+...+......+.....+..........+..+.........+.........+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.........+.........+.....+.+.....+.+.........+..+....+........+...+.......+........+...+......+...+...+............+..........+...+..+..........+.....+.............+..+...+...+....+...+..............+....+..+......................+..+...+...+...+.+.........+......+...+..+.+...+.....+.........+...+...+.+...+..+.+........+............+..........+..+.+.....................+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Elastic
Organizational Unit Name (eg, section) []:Community 
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:x@y.com

按照同样的方法,我们生成相应的 client 证书:

复制代码 
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
    -keyout client.key \
    -out client.crt \
    -CA ./ca-cert.pem \
    -CAkey ./ca-key.pem

$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
>     -keyout ./server.key \
>     -out ./server.crt \
>     -CA ./ca-cert.pem \
>     -CAkey ./ca-key.pem
........+...+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*...........+..+.+...+.........+..+.............+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*..........+..........+.....+...+.........+.+..+......+.......+...............+..+...+.......+...+...+.....+......+......+.......+..+....+..+..........+..+......+......+.+..+.+..............+...+.......+..+...+.......+...+........+...+......+....+..+.......+.....+...............+......+................+......+...+......+.....+.+..+...+..........+........+................+...............+......+..+.+..+.........+...+.......+......+...+.....+.+...............+...+........+...+.........+...+.........+....+.....+.+........+...+.........+..........+......+..+.............+.....+....+...+..+.............+......+......+.........+..+...+....+...+............+...+..+.+......+.....+.+..+...+..................+.....................+....+..............+.+..+..........+..+...+....+...+......+.................+...+....+........+...+.+...........+..........+.....+...............+....+......+..............+...+......+......+...+.......+...+.....+...+.............+..+.......+.....+.+..+....+...+......+.....+..........+..+.........+.........+.+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.........+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+.........+.........+.....+.+.....+.+.........+..+....+........+...+.......+........+...+......+...+...+............+..........+...+..+..........+.....+.............+..+...+...+....+...+..............+....+..+......................+..+...+...+...+.+.........+......+...+..+.+...+.....+.........+...+...+.+...+..+.+........+............+..........+..+.+.....................+......+........+.+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Elastic
Organizational Unit Name (eg, section) []:Community 
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:x@y.com
$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
>     -keyout client.key \
>     -out client.crt \
>     -CA ./ca-cert.pem \
>     -CAkey ./ca-key.pem
....+...+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.........+........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*......+....+.....+....+...+...+..+..................+.+..............+.+.....................+...+..+.............+..+.......+..+......+............+......+.+......+.........+.........+......+...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
..+.....+..................+.+..+............+.+..+....+......+...+.....+.......+...+.....+......+...+.............+........+.+.....+....+..+.......+......+..+....+...+..+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.+.....+......+.+...+..+....+.....+.............+........+.......+...+............+.....+..................+.......+..+.+.........+...............+.....+.+..+...+...+.+......+.....+.......+.....+...+.........+......+....+...+...........+....+...........+......+.........+....+.....+......+......+.+.....+..........+.....+............+.+......+...+...+...+..+.......+..+...+......+.+......+.....+....+...+..+...............+....+...............+..+.........+...+.+.....+................+.....+.+...+......+.....+......+.......+..+...+......+.+......+...+.....+.........+......................+...+.....+...+...+......+.........+.+.....+....+.....+...............+....+...+.....+............+.+..+.......+..+...+...+............+..........+..+................+..+...+...+.+...+........+...+.+...........+.........+......+..................+....+.....+............+....+.....+......+....+..+....+.....+.+.....+...+...............+....+.....+..........+..+................+..+............+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Elastic
Organizational Unit Name (eg, section) []:Community
Common Name (e.g. server FQDN or YOUR name) []:localhost
Email Address []:x@y.com
$ ls
ca-cert.pem                           filebeat-8.12.0-darwin-aarch64.tar.gz
ca-key.pem                            logstash-8.12.0
client.crt                            logstash-8.12.0-darwin-aarch64.tar.gz
client.key                            server.crt
filebeat-8.12.0-darwin-aarch64        server.key

配置 Filebeat(或任何 Beat)

复制代码 
output.logstash:
  hosts: ["localhost:5044"]
  
  # Specify the path to the CA certificate for verification
  ssl.certificate_authorities: ["/path/to/your/ca-cert.pem"]
  
  # Specify the path to the client certificate
  ssl.certificate: "/path/to/your/server.crt"
  
  # Specify the path to the client private key
  ssl.key: "/path/to/your/server.key"

配置 Logstash

复制代码 
input {
  beats {
    port => 5044
    ssl => true
    
    # Specify the path to the CA certificate for verification
    ssl_certificate_authorities => ["/path/to/your/ca-cert.pem"]
    
    # Specify the path to the server certificate
    ssl_certificate => "/path/to/your/server.crt"
    
    # Specify the path to the server private key
    ssl_key => "/path/to/your/server.key"
    
    # Set peer verification mode to force_peer
    ssl_verify_mode => "force_peer"
  }
}

确保将 /path/to/your/ 替换为密钥和证书的实际所需路径。

测试

我们在当前的目录下安装 Filebeat 及 Logstash:

filebeat_ssl.yml

复制代码 
$ pwd
/Users/liuxg/demos/filebeat_logstash
$ ls 
ca-cert.pem                           logstash-8.12.0
ca-key.pem                            logstash-8.12.0-darwin-aarch64.tar.gz
filebeat-8.12.0-darwin-aarch64        server.crt
filebeat-8.12.0-darwin-aarch64.tar.gz server.key
$ cd filebeat-8.12.0-darwin-aarch64
$ ls filebeat_ssl.yml 
filebeat_ssl.yml

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - ./logfile.log
output.logstash:
  hosts: ["localhost:5044"]
  ssl.certificate_authorities: ["../ca-cert.pem"]
  ssl.certificate: "../server.crt"
  ssl.key: "../server.key"
logging:
  level: info
  to_files: true
  files:
  path: .
  name: filebeat.log
  keepfiles: 7
  permissions: 0644

我们在 filebeat 安装目录下创建一个叫做 logfile.log 的文件。它的内容如下:

logfile.log

复制代码 
This is a test log

logstash.conf

复制代码 
input {
  beats {
    port => 5044
    ssl => true
    ssl_certificate_authorities => "../ca-cert.pem"
    ssl_certificate => "../server.crt"
    ssl_key => "../server.key"
    ssl_verify_mode => "force_peer"
  }
}

output {
  stdout { codec => rubydebug }
  file {
    path => "../outputfile.log"
  }
}

我们首先运行 logstash:

复制代码 
./bin/logstash -f logstash.conf

我们再接下来运行 Filebeat:

我们回到 Logstash 运行的 terminal 中进行查看:

从上面的输出中,我们可以看到日志被正确地采集到 Logstash。我们可以更进一步输出到 Elasticsearch。在这里,我们就不再累述了。

相关推荐
南金研高新科技(南京)有限公司10 分钟前
储能电站通信升级:CAN中继,为安全高效运行筑牢“信号防线”
安全·硬件·储能·can中继
李庆政37026 分钟前
OkHttp的基本使用 实现GET/POST请求 authenticator自动认证 Cookie管理 请求头设置
java·网络协议·http·okhttp·ssl
KKKlucifer41 分钟前
智能体协同安全服务,提升运维效率与防护精度
运维·安全
以太浮标43 分钟前
华为eNSP模拟器综合实验之- NATServer 实践配置解析
网络·网络协议·华为·智能路由器·信息与通信
我爱学习好爱好爱1 小时前
Ansible 自动化部署Elasticsearch + Logstash + Kibana实战(基于RockyLinux 9.6)
elasticsearch·自动化·ansible
未来龙皇小蓝1 小时前
Java安全通信:RSA签名 + AES混合加密详解
java·开发语言·安全·web安全
IT WorryFree1 小时前
LLD 自动发现场景 → 对应使用哪种探测方式(SNMP/HTTP/Agent)最优
网络·网络协议·http
桌面运维家1 小时前
MySQL安全实战:慢查询诊断与SQL注入防御
sql·mysql·安全
Lhan.zzZ1 小时前
Qt多线程数据库操作:安全分离连接,彻底解决段错误
数据库·c++·qt·安全
LiLiYuan.1 小时前
【Elasticsearch扫盲】
大数据·elasticsearch·搜索引擎
热门推荐
012026年3月AI领域大事件:DeepSeek引领开源风暴02GitHub 镜像站点03Qwen3.5-Omni与Qwen3.6模型全面解析(含测评/案例/使用教程)04Claude Code + GLM4.7 避坑指南:解决 Unable to connect to Anthropic services05围棋-html版本06UV安装并设置国内源07“wsl --install -d Ubuntu-22.04”下载慢,中国地区离线安装 Ubuntu 22.04 WSL方法(亲测2025年5月6日)08让 Trae IDE 智能体 “读懂”文档 Excel+PDF+DOCX :mcp-documents-reader 工具使用指南09AI 编程效率翻倍:Superpowers Skills 上手清单 + 完整指南10纯 HTML/CSS/JS 实现的高颜值登录页,还会眨眼睛!少女心爆棚!