Confusion about authentication for Logstash

security

(Matt Wheeler) #1

I'm reviewing the documentation for Shield, in order to enable authentication for the ELK stack, and am puzzled with Logstash. A couple questions:

  1. In reviewing Shield's Logstash documentation, a user and password is specified in the ElasticSearch output plugin. Wouldn't this contain the ElasticSearch, not the Logstash user?

  2. If so, what's the purpose of the Logstash user? That it's not mentioned here, or in numerous tutorials (1, 2) makes me think it's redundant, but someone correct me if I'm wrong.

  3. When and where would the Logstash user be specified?

Thanks in advance. My apologies if I'm missing something obvious.


(Steve Kearns) #2

Heya Matt,

The docs are trying to outline a process that looks like this:

  1. Create a user in the Shield esusers realm, and assign it the logstash role, which comes pre-defined for you. The Logstash role grants the user access to write into log
  2. Add the user/password you just created to the logstash configuration, so that when Logstash attempts to connect to Elasticsearch, it sends the username/password credentials.

Does that help?


(system) #3