Is it possible to secure the communication between filebeat and logstash with a token of some kind?
I know that it is possible to secure the filebeat --> logstash connection through HTTPS mutual authentication, but I feel they are pretty hard to manage if we have many different filebeat clients (prove me wrong and I'll happily change my mind).
I am also aware that it is possible to secure the logstash --> elastic connection with API keys, but that's not what I need, I need securing from filebeat to logstash.
I'm setting up a centralized ELK stack for log analytics that will be used to collect logs from a variety of different systems, some may be actual servers, most will be developer's workstations.
I would like to setup a system in which a developer logs into a secured internal service, asks for a token, and start streaming logs from her/his workstation right away.
If a breach is detected I would like it to be a simple process: it should be enough to invalidate the previous token that has been leaked and issue a new one, and then removing from ES the unwanted log entries streamed by the leaked token.
It is not possible, the only way to secure the communication between filebeat and logstash is using SSL certificates.
The closest you can get of what you want is if you send the filebeat logs directly to elasticsearch, then you would be able to use an API key, this needs security enabled in elasticsearch.
In both cases you would need to configure the filebeat.yml file for the developer's workstation.