How to update your SSL configuration for Elastic Beats and Rsyslog

To view the SSL Certificate Expiry Notice it can be found here.

The updated certificate file (opens in a new tab) contains both the old and new root certificates and should be updated as soon as possible, if you have any issues with the new certificate, please contact us.

Rsyslog

If you're not sending over an encrypted connection no changes are required, but we would urge you to upgrade to a TLS endpoint.

Look for the double @@ before the logstash address to confirm.

Sample configuration snippet:

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/root.logit.io.crt

$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io

*.* @@YOUR-LOGSTASH-ENDPOINT:YOUR-SYSLOG-SSL-PORT

Rsyslog will only accept a single file name to verify the SSL connection with, but you can have more than one certificate in that file.

Replace the certificate file with a new file available from here (opens in a new tab)

Restart rsyslog and confirm it's reconnected and still sending data and reporting no errors.

Legacy Filebeat / Metricbeat / Other Elastic Beats

With older configurations (typically v1.3 or below) you may have specified a certificate_authority and will need to update the intermediate.crt on your system, see below and example:

output.logstash:
  hosts: ["YOUR-LOGSTASH-ENDPOINT:YOUR-BEATS-SSL-PORT"]
 
  tls:
    certificate_authorities: ['/etc/pki/tls/certs/root.logit.io.crt']
    enabled: true

Please download (opens in a new tab) the new certificate and replace the old intermediate.crt.

Newer configurations that do not specify a certificate_authority are unlikely to require configuration changes, however you may need to add our intermediate to your certificate store as per your OS defaults, see below for an example which requires no action:

output.logstash:
  hosts: ["YOUR-LOGSTASH-ENDPOINT:YOUR-BEATS-SSL-PORT"]
  ssl.enabled: true