Winlogbeat Secrets Key Store

Hi there!

(Reference link that I used for what I tried: Secrets keystore for secure settings)

Here's with I did to setup my Winlogbeat's communication with Elasticsearch, with the use of an API key (instead of credentials).

These commands are executed in an high-integrity PowerShell:

Confirm that the keystore is empty/not created:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list

Create the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore create

Add key to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore add ES_API

[API_key_string_placeholder]

Confirm that the key was successfully added to the keystore:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' keystore list

Next, I replaced the following in my winlogbeat.yml:
Original:
output.elasticsearch.api_key: [API_key_string_placeholder]
Modified:
output.elasticsearch.api_key: "${ES_API}"

I executed this command to confirm that Winlogbeat could communicate with Elasticsearch successfully:
.'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e

However, I cannot run Start-Service winlogbeat successfully:

Running sc qc winlogbeat in cmd.exe shows the command that the service runs when it is started:

Running the command from the above output directly tells us a clearer error of why Start-Service winlogbeat did not work (I think):

I added -E "output.elasticsearch.api_key=\${ES_API} to the above command, but it did not work too:

I also added -E "output.elasticsearch.api_key=\${ES_API}" to the command executed in PowerShell earlier, so the full command is .'C:\Program Files\Elastic\Winlogbeat\winlogbeat.exe' -c 'C:\Program Files\Elastic\Winlogbeat\winlogbeat.yml' -e -E "output.elasticsearch.api_key=\${ES_API}". However, it says that the authentication with Elasticsearch failed. Not attaching any screenshots here tentatively for this one because of the verbose data shown.

Not sure what I did wrong, particularly why there is a missing field accessing 'output.elasticsearch.api_key'. Perhaps something to do with the formatting (particularly $)?

Seeking advice please!

Bump!

Wondering how we can solve this issue so that another layer of security is ensured when using Winlogbeat (or other Beats).

Also, if anyone can advice of a more secure method of authenticating with Elasticsearch (besides having an API Key + putting it in a Beats keystore), please advise!

Thank you. :slight_smile: And have a beautiful day!

Bump!

Still looking for assistance regarding this please.