Securing communication between Elasticsearch and Filebeat


#1

Hi all,
I am running Elasticsearch and Kibana stack 5.5.0 on an ubuntu server. My client servers are located in a local network so I need to run ES on 0.0.0.0:9200 to get logs from Filebeat.
I know it's too risky to expose ES to public, I'm trying to put it behind a reverse proxy (nginx) with access control list with Lua to limit filebeat clients access only to its index.
as described in this article


In other words, is there a way to implement this security role in x-pack using nginx + Lua ?
POST _xpack/security/role/filebeat_writer
{
"cluster": ["manage_index_templates", "monitor"],
"indices": [
{
"names": [ "filebeat-*" ],
"privileges": ["read","write","create_index"]
}
]
}


(Tudor Golubenco) #2

I'm not sure if that's possible with Nginx, because Filebeat uses the _bulk, which allows for arbitrary commands in the body of the message. Even if it were possible, note that that means that anyone could add data to your indices.

Perhaps a slightly better option would be to have Logstash installed centrally, and have Filebeat talk to Logstash.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.