How hides the password in json file for jmx input plugin logstash

I am using jmx input plugin logstash to read JVM metrics, everything works fine for me, the JVM I access requires authentication by user and password and in the development environment I have this data burned in the JSON files, but for production I need these values are not visible in the files, I wanted to use session variables as I have used in other implementations in .yml and .conf files, but it doesn't work for me with JSON files.
Does anyone know how I can handle this sensitive authentication data in Json files?

Check out

Thanks, the problem is that this works for .yml and .conf files, but not for .json files

What does your workflow look like?

Is there a reason you can't rename the .json to .conf without messing other stuff up? (looked it up and doesn't seem possible)

Short answer is Elastic only provides keystore support for configuration files as you know. But depending on what you are trying to do I might have done something similar before.

Hello, due to the organization's information security policy, it cannot have clear text passwords, for this reason I need the password not to be visible.

Indeed, I tried creating the file of type json with another type of extension such as .yml or .conf, but when the file is loaded during the execution of the process, the session variables where I store the password are not resolved.

The content of the file is similar to the following where $ {KEY} is the session variable that contains the password:

      //Required, JMX listening host/ip
      "host" : "",
      //Required, JMX listening port
      "port" : 1335,
      //Optional, the username to connect to JMX
      "username" : "user",
      //Optional, the password to connect to JMX
      "password": "${KEY}",
      //Optional, use this alias as a prefix in the metric name. If not set use <host>_<port>
      "alias" : "test.homeserver.elasticsearch",
      //Required, list of JMX metrics to retrieve
      "queries" : [
        //Required, the object name of Mbean to request
        "object_name" : "java.lang:type=Memory",
        //Optional, use this alias in the metrics value instead of the object_name
        "object_alias" : "Memory"
      }, {
        "object_name" : "java.nio:type=BufferPool,name=*",
        "object_alias" : "${type}.${name}"
      } ]

I see 2 options which is probably not what you are looking for, but...

  1. Use 3rd party software to do this for whichever OS you are using.
  2. If you want to keep it within Logstash then create custom plugin.

Copy the current one into a new one.

Add config items for username and password.

  # Username to connect to JMX provider with
  config :username, :validate => :string
  # Password to use when connecting to the JMX provider
  config :password, :validate => :password

Change where it reads the username/password from. Currently it does it from the .json but change to the config variable.

:username => @username,
:password => @password

Then in your logstash config you should be able to add 2 additional configuration items and use the keystore password. Since it's in a .conf file type it will work as expected.

password => ${KEYSTORE}
1 Like

Hola [aaron-nimocks]
This alternative seems interesting to me.
I downloaded the .zip the plugin from GitHub and made the changes indicated to me in the /jmx.rb file. But now I don't know how to regenerate the .gem file to reinstall the pluggin. You know how I can do it. Thank you so much

A lot of steps but here is the guide.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.