SSL in winlogbeat - logstash

[jozb09]

I managed to follow the steps on documentation, https://docs.securityonion.net/en/2.3/beats.html

Now, I need to know what should I do on agent side?

Should I uncomment those SSL lines?

And how can I test to see if my SSL config works and if logs are shipping in an encrypted format. ??

Thanks!

[weslambert]

You can copy the myca.crt/mybeats.crt to your endpoint and use it for the appropriate values.

You can test to see if data is encrypted by using something like tcpdump to sniff the traffic hitting the interface/port of the Security Onion node.

[alexandruhera]

This is the kind of answer I was looking for as well, but , where are these certs stored? Moreover, since the elasticsearch now wants authentication, is there way for us to define the user/password, or API key? It's more difficult to edit the elastic yml file in the container without breaking anything.

[alexandruhera]

Never mind, I found some in /etc/pki, I will try them out.

[jozb09]

@weslambert I used internal PKI which I have cer file with private key

[jozb09]

@alexandruhera Yes I did, and I specify the path like the below screenshot,

[alexandruhera]

Thanks a lot, I haven't realized that. Also, what about the authentication for the elastic output? Do you know where these are set, in which config file? :)

[jozb09]

under /opt/so/saltstack/local/salt/logstash/pipelines/config/so/0009_input_beats.conf

[jozb09]

Can you share what should be configured to that file?

[alexandruhera]

Absolutely, I will come back on this, but now it appears that my containers can't boot..