diff --git a/filebeat/config.sls b/filebeat/config.sls index 952172d..5c699ee 100644 --- a/filebeat/config.sls +++ b/filebeat/config.sls @@ -1,9 +1,11 @@ {% from "filebeat/map.jinja" import conf with context %} -{% if salt['pillar.get']('filebeat:logstash:tls:enabled', False) %} -{{ salt['pillar.get']('filebeat:logstash:tls:ssl_cert_path', '/etc/pki/tls/certs/logstash-forwarder.crt') }}: +{% set ssl_cert = salt['pillar.get']('filebeat:logstash:tls:ssl_cert', 'salt://filebeat/files/ca.pem') %} +{% set ssl_cert_path = salt['pillar.get']('filebeat:logstash:tls:ssl_cert_path') %} +{% if salt['pillar.get']('filebeat:logstash:tls:enabled', False) and ssl_cert and ssl_cert_path %} +{{ ssl_cert_path }}: file.managed: - - source: {{ salt['pillar.get']('filebeat:logstash:tls:ssl_cert', 'salt://filebeat/files/ca.pem') }} + - source: {{ ssl_cert }} - template: jinja - makedirs: True - user: root diff --git a/filebeat/files/filebeat.jinja b/filebeat/files/filebeat.jinja index a328dc4..2b5cda8 100644 --- a/filebeat/files/filebeat.jinja +++ b/filebeat/files/filebeat.jinja @@ -67,10 +67,12 @@ output: {%- if 'tls' in logstash %} {%- if logstash.tls.get('enabled', False) %} tls: +{%- if logstash.tls.get('ssl_cert_path') %} certificate_authorities: ["{{ logstash.tls.ssl_cert_path }}"] {%- endif %} {%- endif %} {%- endif %} +{%- endif %} shipper: diff --git a/pillar.example b/pillar.example index ae95188..eafc072 100644 --- a/pillar.example +++ b/pillar.example @@ -50,7 +50,10 @@ filebeat: tls: enabled: True - # this is the public key from your ELK server - # default path is salt://filebeat/files/ca.pem - ssl_cert: salt://mycustom/filebeat/logstash-forwarder.crt + # path to the certificate of your ELK server + # set to empty to use system certificates ssl_cert_path: /etc/pki/tls/certs/logstash-forwarder.crt + # path to the certificate of your ELK server to be installed + # default is salt://filebeat/files/ca.pem + # set to empty to disable + ssl_cert: salt://mycustom/filebeat/logstash-forwarder.crt