Hi there!
(Reference link that I used for what I tried: Secrets keystore for secure settings)
Here's with I did to setup my Winlogbeat's communication with Elasticsearch, with the use of an API key (instead of credentials).
These commands are executed in an high-integrity PowerShell:
Confirm that the keystore is empty/not created:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list
Create the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore create
Add key to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore add ES_API
[API_key_string_placeholder]
Confirm that the key was successfully added to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list
Next, I replaced the following in my winlogbeat.yml
:
Original:
output.elasticsearch.api_key: [API_key_string_placeholder]
Modified:
output.elasticsearch.api_key: "${ES_API}"
I executed this command to confirm that Winlogbeat could communicate with Elasticsearch successfully:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e
However, I cannot run Start-Service winlogbeat
successfully:
Running sc qc winlogbeat
in cmd.exe shows the command that the service runs when it is started:
Running the command from the above output directly tells us a clearer error of why Start-Service winlogbeat
did not work (I think):
I added -E "output.elasticsearch.api_key=\${ES_API}
to the above command, but it did not work too:
I also added -E "output.elasticsearch.api_key=\${ES_API}"
to the command executed in PowerShell earlier, so the full command is .'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e -E "output.elasticsearch.api_key=\${ES_API}"
. However, it says that the authentication with Elasticsearch failed. Not attaching any screenshots here tentatively for this one because of the verbose data shown.
Not sure what I did wrong, particularly why there is a missing field accessing 'output.elasticsearch.api_key'
. Perhaps something to do with the formatting (particularly $
)?
Seeking advice please!