Enabling xpack security on elasticsearch

Hi Team,

We have elastic stack with the following components:
5 ES nodes running on 7.6.1 version
Kibana - 7.6.1 version
2 Logstash - 7.6.1 version

We also have filebeat and metricbeat (both 7.6.0 ) running on alot of vm's pushing data to ES via logstash. We would like to enable security xpack for es to have both basic auth and SSL enabled for the cluster. One other reason is we would like to test the new SIEM capability for ELK (read in the documents xpack is needed for detections). Is there a suggested way to enable security xpack on an existing cluster so that data ingestion is not lost while this activity is happening (Something similar to steps which are mentioned for upgrading the elk version). We use chef to configure Elastic.


Unfortunately it is not possible to perform a rolling installation of the TLS certificates.

As soon as you start the first node with Transport TLS enabled, it will be "alone" on the cluster, waiting for other nodes to connect with a TLS connection.

The steps to enable the security are described here.

As you're using Chef so you have automation in place, if you plan all the actions correctly the outage window will be small.

If you can accept the fact you will not be able to access the data on Kibana, you can enable Persistent Queues on Logstash, so events will be written to disk on Logstash when Elasticsearch is down.
You will need to size them to cope with the amount of data you expect to receive during the time Elasticsearch is getting reconfigured.

Other solutions involve putting in place a queue such as Kafka, Redis between the Beats and Logstash.

1 Like

Thanks for the reply. Would it be possible to enable xpack just with basic auth and perform a rolling installation if we don't enable TLS. We use a basic license for all dev, qa and production clusters and I read in the docs it's not mandatory to enable TLS for basic license if we enable xpack. Is my understanding correct.

Thanks for all your help :slight_smile:

Security requires TLS to be enabled as soon as you have more than a single node so a full cluster restart will be required. See the docs for more details.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.