Encrypt / secure Elasticsearch's password in logstash.conf file


(Shivanshu Bagga) #1

I'm using x-pack to secure ELK stack , I don't want to specify plain text "username" and "password" in logstash.conf for elasticsearch output plugin. Is there any way to do that?

output {
elasticsearch {
  hosts => "hostname"
  user => "username"
  password => "password"
  ssl => true
  ssl_certificate_verification => true
  truststore => "keystore.jks"
  truststore_password => changeme
  index => "logstash-%{+YYYY.MM.dd}"
  template => "log-template.json"
  template_name => "logstash*"
  template_overwrite => true
}
}

(Simon Lundström) #2

You could always put the password as an environment variable, see
https://www.elastic.co/guide/en/logstash/6.1/environment-variables.html


(Shivanshu Bagga) #3

Yes I know logstash supports environment variables, but that would be more security problem. I'm looking for same certificate based authentication without implicitly specify username and password(even not as environment variable) or some type of encryption for username and password.


(Shivanshu Bagga) #4

Any luck?


(Simon Lundström) #5

Environment variables are only visible by the user running logstash and
root. No matter what you do the user running logstash can and must be
able to read the password and root will always be able to, no matter
what.

If you're using an encrypted password where do you store the encryption
key? The user running logstash will need to read that to and root will
always be able to, no matter what.

Besides, using a certificate file will have the same issue especially
since if you want to protect it you need a password on it.


(Shivanshu Bagga) #6

X-pack supports PKI based authentication. I have implemented that.If anyone looking for some sort of certificate based solution then check this link pki

Anyway thanks for your reply.


(system) #7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.