How to secure Logstash pipelines with TLS

TLS secures Logstash pipelines by encrypting event traffic in transit, reducing the risk of log data and credentials being exposed or altered on the network.

TLS is enabled per plugin inside pipeline configuration, where an input such as beats listens with a server certificate and private key, and an output such as elasticsearch connects over HTTPS and validates the remote certificate using a trusted CA bundle.

Certificate paths, key permissions, and hostnames must align with the pipeline configuration, or the pipeline can fail to start and clients can reject the connection. Keep the CA certificate available for shippers that must trust the inbound listener, and apply changes during a planned Logstash restart window.

Steps to secure Logstash pipelines with TLS:

Create a directory for TLS assets.
```
$ sudo install -d -o root -g logstash -m 750 /etc/logstash/certs
```
Restricting access to /etc/logstash/certs protects private keys from unintended reads.

Install the CA certificate.

$ sudo install -o root -g root -m 644 /tmp/logstash-ca.crt /etc/logstash/certs/logstash-ca.crt

Install the server certificate.
```
$ sudo install -o root -g root -m 644 /tmp/logstash.crt /etc/logstash/certs/logstash.crt
```
Include any intermediate certificates in the server certificate file when a chained CA is used.
Install the server private key.
```
$ sudo install -o root -g logstash -m 640 /tmp/logstash.key /etc/logstash/certs/logstash.key
```
A private key that is readable by unintended users can enable server impersonation, while a key that is not readable by the Logstash service account can prevent the pipeline from starting.

Verify the certificate and key permissions.

$ sudo ls -l /etc/logstash/certs
total 16
-rw-r--r-- 1 root root     1115 Jan  8 08:24 es-http-ca.crt
-rw-r--r-- 1 root root     1119 Jan  8 08:24 logstash-ca.crt
-rw-r--r-- 1 root root     1151 Jan  8 08:24 logstash.crt
-rw-r----- 1 root logstash 1704 Jan  8 08:24 logstash.key

The private key is typically group-readable only by the logstash group.

Configure TLS settings in /etc/logstash/conf.d/70-tls.conf.

input {
  beats {
    port => 5046
    ssl_enabled => true
    ssl_certificate => "/etc/logstash/certs/logstash.crt"
    ssl_key => "/etc/logstash/certs/logstash.key"
  }
}
output {
  elasticsearch {
    hosts => ["https://node-01-secure:9200"]
    ssl_enabled => true
    ssl_certificate_authorities => ["/etc/logstash/certs/es-http-ca.crt"]
    user => "elastic"
    password => "elastic-password"
  }
}

Shippers connecting to port 5046 must trust the CA in /etc/logstash/certs/logstash-ca.crt.

Test the pipeline configuration for errors.

$ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
Using bundled JDK: /usr/share/logstash/jdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2026-01-08T08:38:56,442][INFO ][logstash.runner          ] Log4j configuration path used is: /etc/logstash/log4j2.properties
##### snipped #####
Configuration OK
[2026-01-08T08:38:56,861][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

Restart the Logstash service to apply TLS settings.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Verify the TLS listener is presenting the certificate.

$ openssl s_client -connect localhost:5046 -servername logstash.example.net -CAfile /etc/logstash/certs/logstash-ca.crt
CONNECTED(00000003)
##### snipped #####
Verify return code: 0 (ok)

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.