Winlogbeat Secrets Key Store

Elastic Stack Beats
1

Hi there!

(Reference link that I used for what I tried: Secrets keystore for secure settings)

Here's with I did to setup my Winlogbeat's communication with Elasticsearch, with the use of an API key (instead of credentials).

These commands are executed in an high-integrity PowerShell:

Confirm that the keystore is empty/not created:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list

Create the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore create

Add key to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore add ES_API

[API_key_string_placeholder]

Confirm that the key was successfully added to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list

Next, I replaced the following in my winlogbeat.yml:
Original:
output.elasticsearch.api_key: [API_key_string_placeholder]
Modified:
output.elasticsearch.api_key: "${ES_API}"

I executed this command to confirm that Winlogbeat could communicate with Elasticsearch successfully:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e

However, I cannot run Start-Service winlogbeat successfully:

image
image1013×154 81.1 KB

Running sc qc winlogbeat in cmd.exe shows the command that the service runs when it is started:

image
image1610×297 113 KB

Running the command from the above output directly tells us a clearer error of why Start-Service winlogbeat did not work (I think):

image
image1611×124 20.2 KB

I added -E "output.elasticsearch.api_key=\${ES_API} to the above command, but it did not work too:

image
image1611×120 12.4 KB

I also added -E "output.elasticsearch.api_key=\${ES_API}" to the command executed in PowerShell earlier, so the full command is .'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e -E "output.elasticsearch.api_key=\${ES_API}". However, it says that the authentication with Elasticsearch failed. Not attaching any screenshots here tentatively for this one because of the verbose data shown.

Not sure what I did wrong, particularly why there is a missing field accessing 'output.elasticsearch.api_key'. Perhaps something to do with the formatting (particularly $)?

Seeking advice please!

2

Bump!

Wondering how we can solve this issue so that another layer of security is ensured when using Winlogbeat (or other Beats).

Also, if anyone can advice of a more secure method of authenticating with Elasticsearch (besides having an API Key + putting it in a Beats keystore), please advise!

Thank you. :slight_smile: And have a beautiful day!

3

Bump!

Still looking for assistance regarding this please.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.