Configuring Security in Logstash
editConfiguring Security in Logstash
editThe Logstash Elasticsearch plugins (output, input, filter and monitoring) support authentication and encryption over HTTP.
To use Logstash with a secured cluster, you need to configure authentication credentials for Logstash. Logstash throws an exception and the processing pipeline is halted if authentication fails.
If encryption is enabled on the cluster, you also need to enable TLS/SSL in the Logstash configuration.
If you want to monitor your Logstash instance with X-Pack monitoring, and store the monitoring data in a secured Elasticsearch cluster, you must configure Logstash with a username and password for a user with the appropriate permissions.
In addition to configuring authentication credentials for Logstash, you need to grant authorized users permission to access the Logstash indices.
Configuring Logstash to use Basic Authentication
editLogstash needs to be able to manage index templates, create indices, and write and delete documents in the indices it creates.
To set up authentication credentials for Logstash:
-
Use the the Management > Roles UI in Kibana or the
role
API to create alogstash_writer
role. For cluster privileges, addmanage_index_templates
andmonitor
. For indices privileges, addwrite
,delete
, andcreate_index
.If you plan to use index lifecycle management, also add
manage_ilm
for cluster andmanage
andmanage_ilm
for indices.POST _xpack/security/role/logstash_writer { "cluster": ["manage_index_templates", "monitor", "manage_ilm"], "indices": [ { "names": [ "logstash-*" ], "privileges": ["write","delete","create_index","manage","manage_ilm"] } ] }
The cluster needs the
manage_ilm
privilege if index lifecycle management is enabled.If you use a custom Logstash index pattern, specify your custom pattern instead of the default
logstash-*
pattern.If index lifecycle management is enabled, the role requires the
manage
andmanage_ilm
privileges to load index lifecycle policies, create rollover aliases, and create and manage rollover indices. -
Create a
logstash_internal
user and assign it thelogstash_writer
role. You can create users from the Management > Users UI in Kibana or through theuser
API:POST _xpack/security/user/logstash_internal { "password" : "x-pack-test-password", "roles" : [ "logstash_writer"], "full_name" : "Internal Logstash User" }
-
Configure Logstash to authenticate as the
logstash_internal
user you just created. You configure credentials separately for each of the Elasticsearch plugins in your Logstash.conf
file. For example:input { elasticsearch { ... user => logstash_internal password => x-pack-test-password } } filter { elasticsearch { ... user => logstash_internal password => x-pack-test-password } } output { elasticsearch { ... user => logstash_internal password => x-pack-test-password } }
Granting Users Access to the Logstash Indices
editTo access the indices Logstash creates, users need the read
and
view_index_metadata
privileges:
-
Create a
logstash_reader
role that has theread
andview_index_metadata
privileges for the Logstash indices. You can create roles from the Management > Roles UI in Kibana or through therole
API: -
Assign your Logstash users the
logstash_reader
role. If the Logstash user will be using centralized pipeline management, also assign thelogstash_admin
role. You can create and manage users from the Management > Users UI in Kibana or through theuser
API:
Configuring the Elasticsearch Output to use PKI Authentication
editThe elasticsearch
output supports PKI authentication. To use an X.509
client-certificate for authentication, you configure the keystore
and
keystore_password
options in your Logstash .conf
file:
output { elasticsearch { ... keystore => /path/to/keystore.jks keystore_password => realpassword truststore => /path/to/truststore.jks truststore_password => realpassword } }
Configuring Logstash to use TLS Encryption
editIf TLS encryption is enabled on the Elasticsearch cluster, you need to
configure the ssl
and cacert
options in your Logstash .conf
file:
Configuring Credentials for Logstash Monitoring
editIf you plan to ship Logstash monitoring data to a secure cluster, you need to configure the username and password that Logstash uses to authenticate for shipping monitoring data.
X-Pack security comes preconfigured with a
logstash_system
built-in user
for this purpose. This user has the minimum permissions necessary for the
monitoring function, and should not be used for any other purpose - it is
specifically not intended for use within a Logstash pipeline.
By default, the logstash_system
user does not have a password. The user will
not be enabled until you set a password. Set the password through the change
password API:
PUT _xpack/security/user/logstash_system/_password { "password": "t0p.s3cr3t" }
Then configure the user and password in the logstash.yml
configuration file:
xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: t0p.s3cr3t
If you initially installed an older version of X-Pack, and then upgraded, the
logstash_system
user may have defaulted to disabled
for security reasons.
You can enable the user through the user
API:
PUT _xpack/security/user/logstash_system/_enable
Configuring Credentials for Centralized Pipeline Management
editIf you plan to use Logstash centralized pipeline management, you need to configure the username and password that Logstash uses for managing configurations.
You configure the user and password in the logstash.yml
configuration file: