try to fix :/

logserver/config/logstash.conf

@@ -23,9 +23,57 @@ input {
 }
 
 filter {
-  # Note: API key validation would go here in production
-  # For now, accepting all connections for simplicity
-  # TODO: Implement proper API key validation
+  # API Key validation - check if client provided a valid key
+  # The API key should be in the [fields][api_key] field from Filebeat
+  if [fields][api_key] {
+    # Load and validate API key
+    ruby {
+      init => "
+        require 'yaml'
+        @api_keys = {}
+
+        # Load API keys from file
+        begin
+          if File.exist?('/usr/share/logstash/config/api-keys.yml')
+            config = YAML.load_file('/usr/share/logstash/config/api-keys.yml')
+            if config && config['api_keys']
+              config['api_keys'].each do |hostname, key|
+                @api_keys[key.to_s.strip] = hostname.to_s.strip
+              end
+            end
+          end
+        rescue => e
+          @logger.error('Failed to load API keys', :error => e.message)
+        end
+      "
+      code => "
+        api_key = event.get('[fields][api_key]')
+
+        if api_key && @api_keys.has_key?(api_key)
+          # Valid API key - add hostname to event
+          event.set('[@metadata][client_hostname]', @api_keys[api_key])
+          event.set('[@metadata][authenticated]', true)
+        else
+          # Invalid API key
+          event.set('[@metadata][authenticated]', false)
+          event.tag('_authfailure')
+        end
+      "
+    }
+
+    # Drop unauthorized events
+    if "_authfailure" in [tags] {
+      drop { }
+    }
+  } else {
+    # No API key provided - mark as unauthenticated
+    # You can choose to drop these or allow them based on your security requirements
+    mutate {
+      add_tag => [ "no_api_key" ]
+    }
+    # Uncomment to require API keys for all connections:
+    # drop { }
+  }
 
   # Parse Docker logs
   if [docker] {