- Metricbeat Reference: other versions:
- Overview
- Getting started with Metricbeat
- Setting up and running Metricbeat
- Upgrading Metricbeat
- How Metricbeat works
- Configuring Metricbeat
- Specify which modules to run
- Specify general settings
- Load external configuration files
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and enhance the exported data
- Parse data by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Configure logging
- Use environment variables in the configuration
- Autodiscover
- YAML tips and gotchas
- Regular expression support
- HTTP Endpoint
- metricbeat.reference.yml
- Modules
- Aerospike module
- Apache module
- Ceph module
- Couchbase module
- Docker module
- Dropwizard module
- Elasticsearch module
- Elasticsearch cluster_stats metricset
- Elasticsearch index metricset
- Elasticsearch index_recovery metricset
- Elasticsearch index_summary metricset
- Elasticsearch ml_job metricset
- elasticsearch ml_job MetricSet
- Elasticsearch node metricset
- Elasticsearch node_stats metricset
- Elasticsearch pending_tasks metricset
- elasticsearch pending_tasks MetricSet
- Elasticsearch shard metricset
- envoyproxy module
- Etcd module
- Golang module
- Graphite module
- HAProxy module
- HTTP module
- Jolokia module
- Kafka module
- Kibana module
- Kubernetes module
- Kubernetes apiserver metricset
- Kubernetes container metricset
- Kubernetes event metricset
- Kubernetes node metricset
- Kubernetes pod metricset
- Kubernetes state_container metricset
- Kubernetes state_deployment metricset
- Kubernetes state_node metricset
- Kubernetes state_pod metricset
- Kubernetes state_replicaset metricset
- Kubernetes state_statefulset metricset
- Kubernetes system metricset
- Kubernetes volume metricset
- kvm module
- Logstash module
- Memcached module
- MongoDB module
- Munin module
- MySQL module
- Nginx module
- PHP_FPM module
- PostgreSQL module
- Prometheus module
- RabbitMQ module
- Redis module
- System module
- System core metricset
- System cpu metricset
- System diskio metricset
- System filesystem metricset
- System fsstat metricset
- System load metricset
- System memory metricset
- System network metricset
- System process metricset
- System process_summary metricset
- System raid metricset
- System socket metricset
- System uptime metricset
- traefik module
- uwsgi module
- vSphere module
- Windows module
- ZooKeeper module
- Exported fields
- Aerospike fields
- Apache fields
- Beat fields
- Ceph fields
- Cloud provider metadata fields
- Common fields
- Couchbase fields
- Docker fields
- Docker fields
- Dropwizard fields
- Elasticsearch fields
- envoyproxy fields
- Etcd fields
- Golang fields
- Graphite fields
- HAProxy fields
- Host fields
- HTTP fields
- Jolokia fields
- Kafka fields
- Kibana fields
- Kubernetes fields
- Kubernetes fields
- kvm fields
- Logstash fields
- Memcached fields
- MongoDB fields
- Munin fields
- MySQL fields
- Nginx fields
- PHP_FPM fields
- PostgreSQL fields
- Prometheus fields
- RabbitMQ fields
- Redis fields
- System fields
- traefik fields
- uwsgi fields
- vSphere fields
- Windows fields
- ZooKeeper fields
- Monitoring Metricbeat
- Securing Metricbeat
- Troubleshooting
- Contributing to Beats
Secure communication with Logstash by using SSL
editSecure communication with Logstash by using SSL
editYou can use SSL mutual authentication to secure connections between Metricbeat and Logstash. This ensures that Metricbeat sends encrypted data to trusted Logstash servers only, and that the Logstash server receives data from trusted Metricbeat clients only.
To use SSL mutual authentication:
-
Create a certificate authority (CA) and use it to sign the certificates that you plan to use for Metricbeat and Logstash. Creating a correct SSL/TLS infrastructure is outside the scope of this document. There are many online resources available that describe how to create certificates.
If you are using X-Pack security, you can use the elasticsearch-certutil tool to generate certificates.
-
Configure Metricbeat to use SSL. In the
metricbeat.ymlconfig file, specify the following settings underssl:-
certificate_authorities: Configures Metricbeat to trust any certificates signed by the specified CA. Ifcertificate_authoritiesis empty or not set, the trusted certificate authorities of the host system are used. -
certificateandkey: Specifies the certificate and key that Metricbeat uses to authenticate with Logstash.For example:
output.logstash: hosts: ["logs.mycompany.com:5044"] ssl.certificate_authorities: ["/etc/ca.crt"] ssl.certificate: "/etc/client.crt" ssl.key: "/etc/client.key"
For more information about these configuration options, see Specify SSL settings.
-
-
Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the Beats input plugin for Logstash:
-
ssl: When set to true, enables Logstash to use SSL/TLS. -
ssl_certificate_authorities: Configures Logstash to trust any certificates signed by the specified CA. -
ssl_certificateandssl_key: Specify the certificate and key that Logstash uses to authenticate with the client. -
ssl_verify_mode: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify eitherpeerorforce_peerto make the server ask for the certificate and validate it. If you specifyforce_peer, and Metricbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use certutil, the certificates that you obtain must allow for bothclientAuthandserverAuthif the extended key usage extension is present.For example:
input { beats { port => 5044 ssl => true ssl_certificate_authorities => ["/etc/ca.crt"] ssl_certificate => "/etc/server.crt" ssl_key => "/etc/server.key" ssl_verify_mode => "force_peer" } }
For more information about these options, see the documentation for the Beats input plugin.
-
Validate the Logstash server’s certificate
editBefore running Metricbeat, you should validate the Logstash server’s certificate. You can use curl to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
curl -v --cacert ca.crt https://logs.mycompany.com:5044
If the test is successful, you’ll receive an empty response error:
* Rebuilt URL to: https://logs.mycompany.com:5044/ * Trying 192.168.99.100... * Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0) * TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: logs.mycompany.com * Server certificate: mycompany.com > GET / HTTP/1.1 > Host: logs.mycompany.com:5044 > User-Agent: curl/7.43.0 > Accept: */* > * Empty reply from server * Connection #0 to host logs.mycompany.com left intact curl: (52) Empty reply from server
The following example uses the IP address rather than the hostname to validate the certificate:
curl -v --cacert ca.crt https://192.168.99.100:5044
Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the logs.mycompany.com, the hostname that appears in the Subject field of the certificate.
* Rebuilt URL to: https://192.168.99.100:5044/ * Trying 192.168.99.100... * Connected to 192.168.99.100 (192.168.99.100) port 5044 (#0) * WARNING: using IP address, SNI is being disabled by the OS. * SSL: certificate verification failed (result: 5) * Closing connection 0 curl: (51) SSL: certificate verification failed (result: 5)
See the troubleshooting docs for info about resolving this issue.
Test the Beats to Logstash connection
editIf you have Metricbeat running as a service, first stop the service. Then test your setup by running Metricbeat in the foreground so you can quickly see any errors that occur:
metricbeat -c metricbeat.yml -e -v
Any errors will be printed to the console. See the troubleshooting docs for info about resolving common errors.