Elasticsearch ELK security

euph0ria · May 2, 2019, 6:18pm

Hi community,

I have a question regarding security. Suppose we setup ES + filebeat for some systems. Filebeat ships directly to ES. How do we handle security?

Basically what we are worried about is a server being compromised and the attacker using the filebeat credentials (if you use an nginx proxy) to view the logs of everything on the ES server.

I can't find any way to setup this very basic security restriction that filebeat should only be able to upload, not read nor access everything. Is this not possible in the open-source/free edition?

If so I'm extremely surprised of all the tutorials online that recommend ELK not addressing the security concerns. Is the only way to solve this using OpenDistro by AWS or pay for the X-pack?

How has every one else here using the ELK stack solved this?

Julien · May 22, 2019, 11:40am

If you create a role with only "write" (possibly create_index if you want the user to be able to create index) or "index", then the user would be able to index documents but not read. Please refer to the indices privileges documentation

Regarding licensing, please check this blog :
https://www.elastic.co/blog/security-for-elasticsearch-is-now-free

system · June 19, 2019, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Securing communication between Elasticsearch and Filebeat Beats filebeat	2	869	August 23, 2017
Filebeat with minimal security on ELK Elasticsearch elastic-stack-security	6	561	January 3, 2022
Logstash in free version? Logstash elastic-stack-security	2	272	June 23, 2021
Confirmation please Beats filebeat	3	212	March 21, 2023
Elasticsearch permissions required by Filebeat Beats filebeat	7	3891	November 30, 2018

Elasticsearch ELK security

Related topics