Logstash Beats TLS Configuration

[endpointsec]

Good morning all,

We are preparing to migrate from SO to SO2 and our primary challenge is getting TLS enabled for Winlogbeat. For SO, we created the beats input specifying SSL and then edited the securityonion.conf file to include read only files (crt, key, input conf) for docker.

It looks like this needs to be managed through salt with SO2. I have created the new crt/key files and edited the beats input. Does placing the input conf in /opt/so/saltstack/local/salt/logstash/pipelines/config/ and restarting logstash enable the input? Haven't seen any guides yet to get this going and mostly trial & error on our behalf trying to get it working.

edit: Logstash is able to read the custom beats input but looking at the log, it can't read the crt/key files. Tried changing ownership from socore to logstash but did not help.

/opt/so/log/logstash/logstash.log
"File does not exist or cannot be opened" (.crt, .key)

[TOoSmOotH]

Yea looks like we are missing a bind for external certs. I have opened #1710 to fix this.

[TOoSmOotH]

ok I merged the fix into dev but if you want to fix this now instead of waiting will 2.3.10 you need to make the following changes:

mkdir /opt/so/saltstack/local/salt/logstash/etc/certs and drop your certs in there.

Then modify:
/opt/so/saltstack/default/salt/logstash/init.sls
https://github.com/Security-Onion-Solutions/securityonion/pull/1713/files

Change your config to point to point to the certs in that dir.

Restart logstash on the manager. so-logstash-restart