Logstash credentials management

Elastic Stack Logstash
1

Hello !
**
Problem Statement**

We are reviewing the current authentication mechanism used by our Logstash deployment and would like to align it with industry best practices.

Currently, certain Logstash pipelines require usernames and passwords to connect to external systems. We want to avoid storing credentials in plain text or hardcoding them directly within Logstash configuration files due to security, compliance, and maintainability concerns.

We are looking for guidance on the vendor-recommended and industry-standard approach for securely managing credentials in a production Logstash environment.

  • Logstash configurations are managed and deployed through Ansible.

  • We are looking for a solution that is secure, maintainable, and compatible with our existing deployment model.

  • Our objective is to eliminate hardcoded usernames and passwords from Logstash pipeline configurations.

We have explored Logstash keystore, Ansible-Based Secret Management. Many of us would have been in the same situation but does anyone have a production proof best solution using keystore and ansible?

Best regards

Shubham

2

Logstash basically only supports using the Logstash Keystore or Environment Variables, so you would need to choose one of those.

I'm not sure if there is any recommendation as this would depend on each use case, both have their pros and cons.

Personally I prefer to use environment variables as they are easier to manage, I have all variables on a file and I've set this file as an extra EnvironmentFile in the Logstash service.