From 34a6de726b2f7e6be113414030baf72229fb2320 Mon Sep 17 00:00:00 2001
From: Karen Metts <35154725+karenzone@users.noreply.github.com>
Date: Mon, 15 Sep 2025 17:51:04 -0400
Subject: [PATCH] Doc: Use current Logstash SSL settings for auditbeat (#46457)

(cherry picked from commit 49aa7212928b5a2cf5abae2dbd7bfa177f0da33b)
---
 .../auditbeat/configuring-ssl-logstash.md     | 42 +++++++++----------
 1 file changed, 21 insertions(+), 21 deletions(-)

diff --git a/docs/reference/auditbeat/configuring-ssl-logstash.md b/docs/reference/auditbeat/configuring-ssl-logstash.md
index b533fdf75c9..5c85d2a78f0 100644
--- a/docs/reference/auditbeat/configuring-ssl-logstash.md
+++ b/docs/reference/auditbeat/configuring-ssl-logstash.md
@@ -17,16 +17,16 @@ To use SSL mutual authentication:
     If you are using {{security-features}}, you can use the [elasticsearch-certutil tool](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md) to generate certificates.
     ::::
 
-2. Configure Auditbeat to use SSL. In the `auditbeat.yml` config file, specify the following settings under `ssl`:
+2. Configure Auditbeat to use SSL. In the `auditbeat.yml` config file, specify these settings under `ssl`:
 
-    * `certificate_authorities`: Configures Auditbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
-    * `certificate` and `key`: Specifies the certificate and key that Auditbeat uses to authenticate with Logstash.
+    * `certificate_authorities`. Configures Auditbeat to trust any certificates signed by the specified CA. If `certificate_authorities` is empty or not set, the trusted certificate authorities of the host system are used.
+    * `certificate` and `key`. Specifies the certificate and key that Auditbeat uses to authenticate with Logstash.
 
         For example:
 
         ```yaml
         output.logstash:
-          hosts: ["logs.mycompany.com:5044"]
+          hosts: ["logs.example.com:5044"]
           ssl.certificate_authorities: ["/etc/ca.crt"]
           ssl.certificate: "/etc/client.crt"
           ssl.key: "/etc/client.key"
@@ -34,12 +34,12 @@ To use SSL mutual authentication:
 
         For more information about these configuration options, see [SSL](/reference/auditbeat/configuration-ssl.md).
 
-3. Configure Logstash to use SSL. In the Logstash config file, specify the following settings for the [Beats input plugin for Logstash](logstash-docs-md://lsr/plugins-inputs-beats.md):
+3. Configure Logstash to use SSL. In the Logstash config file, specify these settings for the [Beats input plugin for Logstash](logstash-docs-md://lsr/plugins-inputs-beats.md):
 
-    * `ssl`: When set to true, enables Logstash to use SSL/TLS.
-    * `ssl_certificate_authorities`: Configures Logstash to trust any certificates signed by the specified CA.
-    * `ssl_certificate` and `ssl_key`: Specify the certificate and key that Logstash uses to authenticate with the client.
-    * `ssl_verify_mode`: Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `peer` or `force_peer` to make the server ask for the certificate and validate it. If you specify `force_peer`, and Auditbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
+    * `ssl`. When set to true, enables Logstash to use SSL/TLS.
+    * `ssl_certificate_authorities`. Configures Logstash to trust any certificates signed by the specified CA.
+    * `ssl_certificate` and `ssl_key`. Specify the certificate and key that Logstash uses to authenticate with the client.
+    * `ssl_client_authentication`. Specifies whether the Logstash server verifies the client certificate against the CA. You need to specify either `required` or `optional` to make the server ask for the certificate and validate it. If you specify `required`, and Auditbeat doesn’t provide a certificate, the Logstash connection will be closed. If you choose not to use [certutil](elasticsearch://reference/elasticsearch/command-line-tools/certutil.md), the certificates that you obtain must allow for both `clientAuth` and `serverAuth` if the extended key usage extension is present.
 
         For example:
 
@@ -47,11 +47,11 @@ To use SSL mutual authentication:
         input {
           beats {
             port => 5044
-            ssl => true
+            ssl_enabled => true
             ssl_certificate_authorities => ["/etc/ca.crt"]
             ssl_certificate => "/etc/server.crt"
             ssl_key => "/etc/server.key"
-            ssl_verify_mode => "force_peer"
+            ssl_client_authentication => "required"
           }
         }
         ```
@@ -65,35 +65,35 @@ To use SSL mutual authentication:
 Before running Auditbeat, you should validate the Logstash server’s certificate. You can use `curl` to validate the certificate even though the protocol used to communicate with Logstash is not based on HTTP. For example:
 
 ```shell
-curl -v --cacert ca.crt https://logs.mycompany.com:5044
+curl -v --cacert ca.crt https://logs.example.com:5044 
 ```
 
 If the test is successful, you’ll receive an empty response error:
 
 ```shell
-* Rebuilt URL to: https://logs.mycompany.com:5044/
+* Rebuilt URL to: https://logs.example.com:5044/
 *   Trying 192.168.99.100...
-* Connected to logs.mycompany.com (192.168.99.100) port 5044 (#0)
-* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-* Server certificate: logs.mycompany.com
-* Server certificate: mycompany.com
+* Connected to logs.example.com (192.168.99.100) port 5044 (#0)
+* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
+* Server certificate: logs.example.com
+* Server certificate: example.com
 > GET / HTTP/1.1
-> Host: logs.mycompany.com:5044
+> Host: logs.example.com:5044
 > User-Agent: curl/7.43.0
 > Accept: */*
 >
 * Empty reply from server
-* Connection #0 to host logs.mycompany.com left intact
+* Connection #0 to host logs.example.com left intact
 curl: (52) Empty reply from server
 ```
 
-The following example uses the IP address rather than the hostname to validate the certificate:
+This example uses the IP address rather than the hostname to validate the certificate:
 
 ```shell
 curl -v --cacert ca.crt https://192.168.99.100:5044
 ```
 
-Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.mycompany.com`, the hostname that appears in the Subject field of the certificate.
+Validation for this test fails because the certificate is not valid for the specified IP address. It’s only valid for the `logs.example.com`, the hostname that appears in the Subject field of the certificate.
 
 ```shell
 * Rebuilt URL to: https://192.168.99.100:5044/