- Legacy APM Server Reference:
- Overview
- Get started
- Set up
- How-to guides
- Configure
- Secure
- Monitor
- API
- Explore data in Elasticsearch
- Exported fields
- APM Error fields
- APM Profile fields
- APM Sourcemap fields
- APM Span fields
- APM Span Metrics fields
- APM Transaction fields
- APM Transaction Metrics fields
- APM Transaction Metrics fields
- Beat fields
- Cloud provider metadata fields
- Docker fields
- ECS fields
- Host fields
- Kubernetes fields
- Process fields
- System Metrics fields
- Troubleshoot
- Upgrade
- Release notes
- APM Server version 7.13
- APM Server version 7.12
- APM Server version 7.11
- APM Server version 7.10
- APM Server version 7.9
- APM Server version 7.8
- APM Server version 7.7
- APM Server version 7.6
- APM Server version 7.5
- APM Server version 7.4
- APM Server version 7.3
- APM Server version 7.2
- APM Server version 7.1
- APM Server version 7.0
- APM Server version 6.8
- APM Server version 6.7
- APM Server version 6.6
- APM Server version 6.5
- APM Server version 6.4
- APM Server version 6.3
- APM Server version 6.2
- APM Server version 6.1
- APM integration (Elastic Agent)
Configure Kerberosedit
You can specify Kerberos options with any output or input that supports Kerberos, like Elasticsearch.
The following encryption types are supported:
- aes128-cts-hmac-sha1-96
- aes128-cts-hmac-sha256-128
- aes256-cts-hmac-sha1-96
- aes256-cts-hmac-sha384-192
- des3-cbc-sha1-kd
- rc4-hmac
Example output config with Kerberos password based authentication:
output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"] output.elasticsearch.kerberos.auth_type: password output.elasticsearch.kerberos.username: "elastic" output.elasticsearch.kerberos.password: "changeme" output.elasticsearch.kerberos.config_path: "/etc/krb5.conf" output.elasticsearch.kerberos.realm: "ELASTIC.CO"
The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration
it is going to be HTTP/my-elasticsearch.elastic.co@ELASTIC.CO
.
Configuration optionsedit
You can specify the following options in the kerberos
section of the apm-server.yml
config file:
enabled
edit
The enabled
setting can be used to enable the kerberos configuration by setting
it to false
. The default value is true
.
Kerberos settings are disabled if either enabled
is set to false
or the
kerberos
section is missing.
auth_type
edit
There are two options to authenticate with Kerberos KDC: password
and keytab
.
password
expects the principal name and its password. When choosing keytab
, you
have to specify a principal name and a path to a keytab. The keytab must contain
the keys of the selected principal. Otherwise, authentication will fail.
config_path
edit
You need to set the path to the krb5.conf
, so +apm-server can find the Kerberos KDC to
retrieve a ticket.
username
edit
Name of the principal used to connect to the output.
password
edit
If you configured password
for auth_type
, you have to provide a password
for the selected principal.
keytab
edit
If you configured keytab
for auth_type
, you have to provide the path to the
keytab of the selected principal.
service_name
edit
This option can only be configured for Kafka. It is the name of the Kafka service, usually kafka
.
realm
edit
Name of the realm where the output resides.