WARNING: Version 5.4 of the Elastic Stack has passed its EOL date.
This documentation is no longer being maintained and may be removed. If you are running this version, we strongly advise you to upgrade. For the latest information, see the current release documentation.
Logstash and Security
editLogstash and Security
editThe Logstash Elasticsearch plugins ( output, input, filter and monitoring) support authentication and encryption over HTTP.
To use Logstash with a secured cluster, you need to configure authentication credentials for Logstash. Logstash throws an exception and the processing pipeline is halted if authentication fails.
If encryption is enabled on the cluster, you also need to enable SSL in the Logstash configuration.
If you wish to monitor your logstash instance with x-pack monitoring, and store the monitoring data in a secured elasticsearch cluster, you must configure Logstash with a username and password for a user with the appropriate permissions.
In addition to configuring authentication credentials for Logstash, you need to grant authorized users permission to access the Logstash indices.
Configuring Logstash to use Basic Authentication
editLogstash needs to be able to manage index templates, create indices, and write and delete documents in the indices it creates.
To set up authentication credentials for Logstash:
-
Create a
logstash_writer
role that has themanage_index_templates
cluster privilege, and thewrite
,delete
, andcreate_index
privileges for the Logstash indices. You can create roles from the Management > Roles UI in Kibana or through therole
API:
If you use a custom Logstash index pattern, specify that pattern
instead of the default
|
Granting Users Access to the Logstash Indices
editTo access the indices Logstash creates, users need the read
and
view_index_metadata
privileges:
-
Create a
logstash_reader
role that has theread and `view_index_metadata
privileges for the Logstash indices. You can create roles from the Management > Roles UI in Kibana or through therole
API:
If you use a custom Logstash index pattern, specify that pattern
instead of the default
|
Configuring the elasticsearch Output to use PKI Authentication
editThe elasticsearch
output supports PKI authentication. To use an X.509
client-certificate for authentication, you configure the keystore
and
keystore_password
options in your Logstash .conf
file:
output { elasticsearch { ... keystore => /path/to/keystore.jks keystore_password => realpassword truststore => /path/to/truststore.jks truststore_password => realpassword } }
Configuring Logstash to use TLS Encryption
editIf TLS encryption is enabled on the Elasticsearch cluster, you need to
configure the ssl
and cacert
options in your Logstash .conf
file:
Configuring Logstash Monitoring
editIf you wish to ship Logstash monitoring data to a secure cluster, Logstash must be configured with a username and password.
X-Pack security comes preconfigured with a logstash_system
user for this purpose.
This user has the minimum permissions necessary for the monitoring function, and
should not be used for any other purpose - it is specifically not intended for
use within a Logstash pipeline.
By default, the logstash_system
user password is set to changeme
.
Change this password through the reset password API:
PUT _xpack/security/user/logstash_system/_password { "password": "t0p.s3cr3t" }
Then configure the user and password in your logstash.yml
configuration file:
xpack.monitoring.elasticsearch.username: logstash_system xpack.monitoring.elasticsearch.password: t0p.s3cr3t
If you initially installed an older version of X-Pack, and then upgraded, then
the logstash_system
user may have defaulted to disabled for security reasons.
You can enable the user with the following API call:
PUT _xpack/security/user/logstash_system/_enable