Blocking beats from hosts using Xpack Security IP filtering feature

rs_ela · November 18, 2016, 8:27am

I'm trying to filter ip addresses using Xpack Security (aka Shield). As far as I understand the documentation (https://www.elastic.co/guide/en/x-pack/current/ip-filtering.html), it should block beats from given hosts. However, after editing configuration and restarting Elasticsearch, nothing happens - beat is allowed through anyway.

In my case the ELK is v5.0 and it runs on Debian Jessie.

Here's the config file:

# ---------------------------------- Various -----------------------------------
#
# Disable starting multiple nodes on a single system:
#
#node.max_local_storage_nodes: 1
#
# Require explicit names when deleting indices:
#
#action.destructive_requires_name: true
#
#
#-------------xpack security------------
#
#
xpack.security.transport.filter.allow: "192.168.10.11"
xpack.security.transport.filter.deny: _all
#

What am I doing wrong? I believe it's something obvious, since the config is rather simple...

Many thanks for your suggestions!

Christian_Dahlqvist · November 18, 2016, 9:17am

Beats use the HTTP(S) protocol, so you need to configure HTTP filtering.

rs_ela · November 18, 2016, 10:23am

Thanks for the suggestion.

New config in /etc/elasticsearch/elasticsearch.yml:

#-------------xpack security------------
#
xpack.security.http.filter.deny: _all
#

Still all beats are allowed.

system · December 16, 2016, 10:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.