Encrypt / secure Elasticsearch's password in logstash.conf file

Elastic Stack Logstash
1

I'm using x-pack to secure ELK stack , I don't want to specify plain text "username" and "password" in logstash.conf for elasticsearch output plugin. Is there any way to do that?

output {
elasticsearch {
  hosts => "hostname"
  user => "username"
  password => "password"
  ssl => true
  ssl_certificate_verification => true
  truststore => "keystore.jks"
  truststore_password => changeme
  index => "logstash-%{+YYYY.MM.dd}"
  template => "log-template.json"
  template_name => "logstash*"
  template_overwrite => true
}
}
2

You could always put the password as an environment variable, see
https://www.elastic.co/guide/en/logstash/6.1/environment-variables.html

3

Yes I know logstash supports environment variables, but that would be more security problem. I'm looking for same certificate based authentication without implicitly specify username and password(even not as environment variable) or some type of encryption for username and password.

4

Any luck?

5

Environment variables are only visible by the user running logstash and
root. No matter what you do the user running logstash can and must be
able to read the password and root will always be able to, no matter
what.

If you're using an encrypted password where do you store the encryption
key? The user running logstash will need to read that to and root will
always be able to, no matter what.

Besides, using a certificate file will have the same issue especially
since if you want to protect it you need a password on it.

1 Like
6

X-pack supports PKI based authentication. I have implemented that.If anyone looking for some sort of certificate based solution then check this link pki

Anyway thanks for your reply.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.