Test filebeat -> LS -> ES using fips config

donoghuc · donoghuc · commit 018b6a1e71bd · 2025-05-30T14:17:20.000-07:00
As described in elastic/ingest-dev#5471 this commit adds a test for filebeat sending data through logstash to elasticsearch using fips config.
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/docker-compose.yml b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/docker-compose.yml
@@ -12,6 +12,7 @@ services:
       - elastic
     depends_on:
       - elasticsearch
+
   elasticsearch:
     image: docker.elastic.co/elasticsearch/elasticsearch-fips:${ELASTICSEARCH_IMAGE_VERSION:-8.19.0-SNAPSHOT}
     container_name: fips_test_elasticsearch
@@ -26,20 +27,30 @@ services:
       - ELASTIC_PASSWORD=changeme
     networks:
       - elastic
-# Filebeat is not yet used in tests, but this is included to show that including it in the compose network
-# will not adversely affect startup time etc for testing interactions between other components.
+
   filebeat:
+    # The filebeat shipped with the elasticsearch-fips container is built for FIPS support
+    # There is no stand alone distribution. This uses the shipped version for testing. 
     image: docker.elastic.co/elasticsearch/elasticsearch-fips:${FILEBEAT_IMAGE_VERSION:-8.19.0-SNAPSHOT}
     container_name: fips_test_filebeat
-    entrypoint: ["filebeat", "-e", "--strict.perms=false", "-c", "/usr/share/filebeat/filebeat.yml"]
+    working_dir: /usr/share/filebeat
+    entrypoint: ["/bin/bash", "-c"]
+    # Start Filebeat with /tmp for data (always writable)
+    command: 
+      - |
+        exec /opt/filebeat/filebeat -e \
+          --strict.perms=false \
+          -c /usr/share/filebeat/filebeat.yml \
+          --path.data /tmp/filebeat_data
     volumes:
-      - ./filebeat/config/${FILEBEAT_CONFIG:-filebeat-fips.yml}:/usr/share/filebeat/filebeat.yml
-      - ./filebeat/data:/data
-      - ./certs:/usr/share/filebeat/certs
-    profiles:
-      - filebeat
+      - ./filebeat/config/${FILEBEAT_CONFIG:-filebeat-fips.yml}:/usr/share/filebeat/filebeat.yml:ro
+      - ./filebeat/data:/data/logs:ro
+      - ./certs:/usr/share/filebeat/certs:ro
     networks:
       - elastic
+    depends_on:
+      - logstash
+
 networks:
   elastic:
     driver: bridge
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/config/filebeat-fips.yml b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/config/filebeat-fips.yml
@@ -2,12 +2,19 @@ filebeat.inputs:
 - type: log
   enabled: true
   paths:
-    - /test-logs/*.log
+    - /data/logs/sample_logs.txt
 
 output.logstash:
   hosts: ["logstash:5044"]
   ssl.enabled: true
-  ssl.certificate: "/usr/share/elasticsearch/config/certs/filebeat.crt"
-  ssl.key: "/usr/share/elasticsearch/config/certs/filebeat.key"
-  ssl.certificate_authorities: ["/usr/share/elasticsearch/config/certs/ca.crt"]
+  ssl.certificate: "/usr/share/filebeat/certs/filebeat.crt"
+  ssl.key: "/usr/share/filebeat/certs/filebeat.key"
+  ssl.certificate_authorities: ["/usr/share/filebeat/certs/ca.crt"]
+  ssl.verification_mode: "certificate"
 
+# Add debugging
+logging.level: debug
+logging.to_stderr: true
+
+# Keep registry in the anonymous volume to avoid host pollution
+path.data: /tmp/filebeat_data
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/data/sample_logs.json b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/data/sample_logs.json
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/data/sample_logs.txt b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/filebeat/data/sample_logs.txt
@@ -0,0 +1 @@
+TEST-LOG: FIPS filebeat test message
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/filebeat-to-ls-to-es.conf b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/filebeat-to-ls-to-es.conf
@@ -0,0 +1,26 @@
+input {
+  beats {
+    port => 5044
+    ssl_enabled => true
+    ssl_certificate => "/usr/share/logstash/config/certs/logstash.crt"
+    ssl_key => "/usr/share/logstash/config/certs/logstash.key"
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+  }
+}
+
+filter {
+  mutate {
+    add_tag => ["filebeat"]
+  }
+}
+
+output {
+  elasticsearch {
+    hosts => ["https://elasticsearch:9200"]
+    user => "elastic"
+    password => "changeme"
+    ssl_enabled => true
+    ssl_certificate_authorities => ["/usr/share/logstash/config/certs/ca.crt"]
+    index => "filebeat-test-%{+YYYY.MM.dd}"
+  }
+}
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/logstash-to-elasticsearch.conf b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/docker/logstash/pipeline/logstash-to-elasticsearch.conf
@@ -23,4 +23,8 @@ output {
     index => "logstash-fips-test-%{+YYYY.MM.dd}"
     ssl_supported_protocols => ["TLSv1.2"]
   }
+  
+  stdout {
+    codec => rubydebug
+  }
 }
diff --git a/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb b/x-pack/distributions/internal/observabilitySRE/qa/acceptance/spec/acceptance_tests_spec.rb
@@ -126,4 +126,32 @@ def docker_compose_down(env={}) = docker_compose_invoke("down --volumes", env)
         expect(logs).to include("org.bouncycastle")
       end
   end
+
+  context "When running in a FIPS compliant configuration" do
+    before(:all) do
+      docker_compose_up({"LOGSTASH_PIPELINE" => "filebeat-to-ls-to-es.conf"})
+      wait_for_elasticsearch
+    end
+  
+    after(:all) do
+      docker_compose_down
+    end
+  
+    it "data flows from Filebeat through Logstash to Elasticsearch" do
+      # Wait for index to appear, indicating data is flowing
+      wait_until(timeout: 30, message: "Index filebeat-test not found") do
+        response = es_request("/_cat/indices?v")
+        response.code == "200" && response.body.include?("filebeat-test")
+      end
+      # Wait until specific data from filebeat/logstash mutate filters are observed
+      query = { query: { match_all: {} } }.to_json
+      result = nil
+      wait_until(timeout: 30, message: "Index filebeat-test not found") do
+        response = es_request("/filebeat-test-*/_search", query)
+        result = JSON.parse(response.body)
+        response.code == "200" && result["hits"]["total"]["value"] > 0
+      end
+      expect(result["hits"]["hits"].first["_source"]["tags"]).to include("filebeat")
+    end
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -23,4 +23,8 @@ output {`
`23`	`23`	`index => "logstash-fips-test-%{+YYYY.MM.dd}"`
`24`	`24`	`ssl_supported_protocols => ["TLSv1.2"]`
`25`	`25`	`}`
	`26`	`+`
	`27`	`+ stdout {`
	`28`	`+ codec => rubydebug`
	`29`	`+ }`
`26`	`30`	`}`