WARNING: Version 5.4 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Getting Started with Security
editGetting Started with Security
editTo secure a cluster, you must install X-Pack on every node in the cluster. Basic authentication is enabled by default—to communicate with the cluster, you must specify a username and password. Unless you {xpack-ref}/anonymous-access.html[enable anonymous access], all requests that don’t include a user name and password are rejected.
X-Pack security provides a built-in elastic superuser you can use
to start setting things up. This elastic user has full access
to the cluster, including all indices and data, so make sure
you change the default password and protect the elastic user
credentials accordingly.
To get started with X-Pack security:
- Install X-Pack and start Elasticsearch and Kibana.
-
Change the passwords of the built in
kibana,logstash_systemandelasticusers:curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/elastic/_password' -H "Content-Type: application/json" -d '{ "password" : "elasticpassword" }' curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/kibana/_password' -H "Content-Type: application/json" -d '{ "password" : "kibanapassword" }' curl -XPUT -u elastic 'localhost:9200/_xpack/security/user/logstash_system/_password' -H "Content-Type: application/json" -d '{ "password" : "logstashpassword" }'The default password for the
elasticuser ischangeme. -
Set up roles and users to control access to Elasticsearch and Kibana. For example, to grant John Doe full access to all indices that match the pattern
events*and enable him to create visualizations and dashboards for those indices in Kibana, you could create anevents_adminrole and and assign the role to a newjohndoeuser.curl -XPOST -u elastic 'localhost:9200/_xpack/security/role/events_admin' -H "Content-Type: application/json" -d '{ "indices" : [ { "names" : [ "events*" ], "privileges" : [ "all" ] }, { "names" : [ ".kibana*" ], "privileges" : [ "manage", "read", "index" ] } ] }' curl -XPOST -u elastic 'localhost:9200/_xpack/security/user/johndoe' -H "Content-Type: application/json" -d '{ "password" : "userpassword", "full_name" : "John Doe", "email" : "john.doe@anony.mous", "roles" : [ "events_admin" ] }' -
Enable message authentication to verify that messages are not tampered with or corrupted in transit:
-
Run the
syskeygentool fromES_HOMEwithout any options:bin/x-pack/syskeygen
This creates a system key file in
CONFIG_DIR/x-pack/system_key. -
Copy the generated system key to the rest of the nodes in the cluster.
The system key is a symmetric key, so the same key must be on every node in the cluster.
-
-
Enable Auditing to keep track of attempted and successful interactions with your Elasticsearch cluster:
-
Add the following setting to
elasticsearch.ymlon all nodes in your cluster:xpack.security.audit.enabled: true
- Restart Elasticsearch.
By default, events are logged to a dedicated
elasticsearch-access.logfile inES_HOME/logs. You can also store the events in an Elasticsearch index for easier analysis and control what events are logged. For more information, see {xpack-ref}/auditing.html[Configuring Auditing]. -
Depending on your security requirements, you might also want to:
- Integrate with {xpack-ref}/ldap-realm.html[LDAP] or {xpack-ref}/active-directory-realm.html[Active Directory], or {xpack-ref}/pki-realm.html[require certificates] for authentication.
- Use {xpack-ref}/ip-filtering.html[IP Filtering] to allow or deny requests from particular IP addresses or address ranges.