Elasticsearch ELK security

euph0ria · May 2, 2019, 6:18pm

Hi community,

I have a question regarding security. Suppose we setup ES + filebeat for some systems. Filebeat ships directly to ES. How do we handle security?

Basically what we are worried about is a server being compromised and the attacker using the filebeat credentials (if you use an nginx proxy) to view the logs of everything on the ES server.

I can't find any way to setup this very basic security restriction that filebeat should only be able to upload, not read nor access everything. Is this not possible in the open-source/free edition?

If so I'm extremely surprised of all the tutorials online that recommend ELK not addressing the security concerns. Is the only way to solve this using OpenDistro by AWS or pay for the X-pack?

How has every one else here using the ELK stack solved this?

Julien · May 22, 2019, 11:40am

If you create a role with only "write" (possibly create_index if you want the user to be able to create index) or "index", then the user would be able to index documents but not read. Please refer to the indices privileges documentation

Regarding licensing, please check this blog :
https://www.elastic.co/blog/security-for-elasticsearch-is-now-free

system · June 19, 2019, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.