Cyral
Get Started Sign In
  1. Cyral
  2. Solution home
  3. Logging
  4. Logging

Setting up a Helm-based Cyral sidecar to push logs to Kafka with mTLS

Modified on: Wed, 17 Nov, 2021 at 8:27 PM

Prerequisites

  • Cyral Sidecar version 2.24.0 or later.

  • A Kafka server.

  • A Vault Server with PKI engine enabled.

Required inputs

  • Kafka endpoint (hostname and port);

  • Kafka topic;

  • The API path to request certificates from the Vault PKI engine (e.g., cyral_pki/issue/example-dot-com);

  • The common name for the certificate that will be requested from Vault.

Updating the sidecar

You need to update your values.yaml and set the Vault Integration values so that the sidecar knows:

  1. the API path to request new certificates from the Vault PKI engine and 

  2. the common name for the new certificate. In the code snippet below, these values are defined under the vaultIntegration.secrets.filebeat section. 

Note that the values of certificateChainclientCertificateclientPrivateKey are usually the same. In this case, you need to replace cyral_pki/issue/example-dot-com with the proper value. The certificate's common name is set in commonName, so you need to replace cyral-filebeat.example.com with the proper value.

vaultIntegration:

  enabled: true

  integrationId: "<VaultIntegrationID>"

  awsRoleArn: <RoleARN>

  secrets:

    sidecar:

      certificateChain: "cyral_pki/issue/example-dot-com"

      serverCertificate: "cyral_pki/issue/example-dot-com"

      serverPrivateKey: "cyral_pki/issue/example-dot-com"

      commonName: "cyral-sidecar.example.com"

    filebeat:

      certificateChain: 'cyral_pki/issue/example-dot-com'

      clientCertificate: 'cyral_pki/issue/example-dot-com'

      clientPrivateKey: 'cyral_pki/issue/example-dot-com'

      commonName: 'cyral-filebeat.example.com'


Next, you have to set the Filebeat values so that it knows how to push logs to Kafka. In the following code snippet, you have to replace <KafkaHost:KafkaPort> and <KafkaTopic>, respectively, with your Kafka server endpoint and topic name.

filebeat:

  output:

    type: kafka

    useTLS: true

    useMutualAuthentication: true

    usePrivateCertificateChain: true

  kafka:

    hosts: <KafkaHost:KafkaPort>

    topic: <KafkaTopic>

    version: 2.0.0


After updating your values.yaml file, you have to update the Helm deployment.

helm upgrade -i cyral-sidecar cyral-sidecar --namespace cyral-sidecar -f values.yaml --repo https://charts.cyral.com --version 2.23.2



Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Still have questions?

Submit a ticket