I am trying to secure my ELK. I have been checking some documentation, tutorials and also topics in discuss.elastic.co, but everybody shows different steps and settings enabled, so I am confused.
*Note: I am using ELK 6.8.8 with Basic License + running on Debian 10
My goals are:
1- Secure internal ELK communication
2- Secure foreign connections (be able to use https) coming from different beats (PCs and servers out of the ELK network) to ES, Kibana and Logstash
3- Create different users with different level access, so each one can see only specific dashboards
Questions:
1- What comes 1st?:
a) Enable xpack security in Elasticsearch .yml
b) Generate a certificate
2- Should I set my cluster as a CA?
3- Which tool should I use to generate the certificate?:
a) /usr/share/elasticsearch/bin/elasticsearch-certutil
b) /usr/share/elasticsearch/bin/x-pack/certutil
c) If I can use any of the above, then which one would be recommended as the best option?
4- Cert format "p12" vs "PEM". Do I need to select one or the tool being used to generate the cert will determine the output format?
5- Which tool should I use to generate the system passwords (ES, Kibana, etc.)?:
a) /usr/share/elasticsearch/bin/elasticsearch-setup-passwords
b) /usr/share/elasticsearch/bin/x-pack/setup-passwords
6- Should I use:
a) elasticsearch-keystore
b) kibana-keystore
c) Both
7- Should I use:
a) "xpack.security.transport.ssl" ?
b) "xpack.security.http.ssl" ?
c) "xpack.monitoring" ?
c) All?
Maybe there are a lot of questions, but I would appreciate and it would be helpful if you could answer them all.
I was able to find some of the answers I need, but still gonna need some help.
3- Which tool should I use to generate the certificate?:
a) /usr/share/elasticsearch/bin/elasticsearch-certutil
b) /usr/share/elasticsearch/bin/x-pack/certutil
c) If I can use any of the above, then which one would be recommended as the best option?
5- Which tool should I use to generate the system passwords (ES, Kibana, etc.)?:
a) /usr/share/elasticsearch/bin/elasticsearch-setup-passwords
b) /usr/share/elasticsearch/bin/x-pack/setup-passwords
6- Should I use:
a) elasticsearch-keystore
b) kibana-keystore
c) Both
7- Should I use:
a) "xpack.security.transport.ssl" ?
b) "xpack.security.http.ssl" ?
c) "xpack.monitoring" ?
c) All/other?
Also I am facing the following issue when trying to enable xpack:
I am able to:
Generate a certificate
Enable xpack in ES config file by adding these lines (not sure if I need all of them)
Here comes the issue:
After restart ES service and attempt to generate the passwords, I get this error:
user1@testserver:~$ sudo /usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
warning: Falling back to java on path. This behavior is deprecated. Specify JAVA_HOME
Connection failure to: https://192.168.0.179:9200/_xpack/security/_authenticate?pretty failed: Connection refused (Connection refused)
ERROR: Failed to connect to elasticsearch at https://192.168.0.179:9200/_xpack/security/_authenticate?pretty. Is the URL correct and elasticsearch running?
user1@testserver:~$
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.