- Winlogbeat Reference: other versions:
- Overview
- Contributing to Beats
- Getting Started With Winlogbeat
- Setting up and running Winlogbeat
- Upgrading Winlogbeat
- Configuring Winlogbeat
- Set up Winlogbeat
- Specify general settings
- Configure the internal queue
- Configure the output
- Specify SSL settings
- Filter and Enhance the exported data
- Parse logs by using ingest node
- Set up project paths
- Set up the Kibana endpoint
- Load the Kibana dashboards
- Load the Elasticsearch index template
- Set up logging
- Use environment variables in the configuration
- YAML tips and gotchas
- winlogbeat.reference.yml
- Exported Fields
- Securing Winlogbeat
- Troubleshooting
WARNING: Version 6.0 of Winlogbeat has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Secure communication with Elasticsearch
editSecure communication with Elasticsearch
editTo secure the communication between Winlogbeat and Elasticsearch, you can use HTTPS and basic authentication. Here is a sample configuration:
output.elasticsearch: username: winlogbeat password: verysecret protocol: https hosts: ["elasticsearch.example.com:9200"]
The username to use for authenticating to Elasticsearch. |
|
The password to use for authenticating to Elasticsearch. |
|
This setting enables the HTTPS protocol. |
|
The IP and port of the Elasticsearch nodes. |
Elasticsearch doesn’t have built-in basic authentication, but you can achieve it either by using a web proxy or by using X-Pack to secure Elasticsearch. For more information, see the X-Pack documentation about securing Elasticsearch and Winlogbeat and X-Pack Security.
Winlogbeat verifies the validity of the server certificates and only accepts trusted certificates. Creating a correct SSL/TLS infrastructure is outside the scope of this document.
By default Winlogbeat uses the list of trusted certificate authorities from the operating system where Winlogbeat is running. You can configure Winlogbeat to use a specific list of CA certificates instead of the list from the OS. You can also configure it to use client authentication by specifying the certificate and key to use when the server requires the Beat to authenticate. Here is an example configuration:
output.elasticsearch: username: winlogbeat password: verysecret protocol: https hosts: ["elasticsearch.example.com:9200"] ssl.certificate_authorities: - /etc/pki/my_root_ca.pem - /etc/pki/my_other_ca.pem ssl.certificate: "/etc/pki/client.pem" ssl.key: "/etc/pki/key.pem"
The list of CA certificates to trust |
|
The path to the certificate for SSL client authentication |
|
The client certificate key |
For any given connection, the SSL/TLS certificates must have a subject
that matches the value specified for hosts
, or the SSL handshake fails.
For example, if you specify hosts: ["foobar:9200"]
, the certificate MUST
include foobar
in the subject (CN=foobar
) or as a subject alternative name
(SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then
you can associate the IP address with your hostname in /etc/hosts
(on Unix) or C:\Windows\System32\drivers\etc\hosts
(on Windows).