Hide the credentials in the .conf file

Elastic Stack Logstash
1

I am using jdbc input to pull data from a Microsoft Azure SQL server. In my .conf file USERNAME and PASSWORD is in cleartext. Is there any way to hide those, encrypt them or another way to secure them?

This is an example of jdbc input to illustrate my point

input {
  jdbc {
    jdbc_driver_library => "C:/Elastic/logstash-6.4.2/plugin/sqljdbc_7.2/enu/mssql-jdbc-7.2.2.jre8.jar"
    jdbc_driver_class => "com.microsoft.sqlserver.jdbc.SQLServerDriver"
    
    jdbc_connection_string =>"jdbc:sqlserver://srvsqldb.database.windows.net:1433;database=IVsqlDB;user=USERNAME@srvsqldb;password={PASSWORD};encrypt=true;trustServerCertificate=false;hostNameInCertificate=*.database.windows.net;loginTimeout=30;"
    jdbc_user => "USERNAME"
    jdbc_password => "PASSWORD"
    statement => "SELECT *  FROM [dbo].[DimDate];"
  }
}
filter {
}
output {
    stdout { codec => rubydebug }
}

Why do I ask? My logstash is going to run on a PC outside my supervision, so others could gain access to the credential in the .conf file, and that is not secure.

2

You can use the logstash keystore generally so that you don't include plaintext secrets in your configuration file. However, the keystore password is set as an environment variable, so a user with access to the host where logstash runs can easily read the environment variable and thus the credentials.
In the case where logstash (or any software to be honest) runs on a host that others have access, it is very challenging to protect your data. It largely depends on who the other users on the host are, what privieges they ( need to ) have and how can you compartmentalize access.

3

Thank you - that was exactly what I needed :slight_smile:

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.