run logstash-forwarder in untrusted network-environment

Question

I want to figure out a safe way to run logstash-forwarder respectively logstash with the lumberjack-input in an untrusted network-environment.

As far as I understand, the SSL-certificate ensures an encrypted connection between client and server und authenticates the server for the client (as in "ok, I know this server is the real logging-server"). How can I authenticate the client for the server (as in "ok, I know this client trying to send me events is one of my machines, not someone else")?

Answer 1

SSL certificates can work in bidirectional way. They can be used to authenticate the server ("ok, this server is the real logging-server") and also the other way around ("ok, I know this client is one of my machines"). For the second case you need to use client certificates.

Although Logstash Forwarder allows to configure a client certificate, logstash's lumberjack input does not support client certs. There is an open github issue regarding this feature.

To overcome this dilemma you can use an alternative log client and logstash's TCP input which supports client certs. The input will look like this:

input {   
    tcp {
        port => 9999
        ssl_cert => "/path/to/server.crt"
        ssl_key => "/path/to/server.key"
        ssl_cacert => "/path/to/ca.crt"
        ssl_enable => true
        ssl_verify => true
    }
}

On the client side you can use several tools. I personally do this with NXLog. A proper NXLog output config would look like this:

<Output logstash>
    Module  om_ssl
    Host    yourhost
    Port    9999
    CAFile  %CERTDIR%/ca.crt
    CertFile    %CERTDIR%/client.crt
    CertKeyFile %CERTDIR%/client.key
</Output>

Unfortunately this is just a workaround with another software but I'm afraid there is no native lumberjack solution.