Secrets keystore for secure settingsedit

When you configure Auditbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Auditbeat keystore to securely store secret values for use in configuration settings.

After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.

The syntax for referencing keys is identical to the syntax for environment variables:


Where KEY is the name of the key.

For example, imagine that the keystore contains a key called ES_PWD with the value yourelasticsearchpassword:

  • In the configuration file, use output.elasticsearch.password: "${ES_PWD}"
  • On the command line, use: -E "output.elasticsearch.password=\${ES_PWD}"

When Auditbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.

Notice that the Auditbeat keystore differs from the Elasticsearch keystore. Whereas the Elasticsearch keystore lets you store elasticsearch.yml values by name, the Auditbeat keystore lets you specify arbitrary names that you can reference in the Auditbeat configuration.

To create and manage keys, use the keystore command. See the command reference for the full command syntax, including optional flags.

The keystore command must be run by the same user who will run Auditbeat.

Create a keystoreedit

To create a secrets keystore, use:

auditbeat keystore create

Auditbeat creates the keystore in the directory defined by the configuration setting.

Add keysedit

To store sensitive values, such as authentication credentials for Elasticsearch, use the keystore add command:

auditbeat keystore add ES_PWD

When prompted, enter a value for the key.

To overwrite an existing key’s value, use the --force flag:

auditbeat keystore add ES_PWD --force

To pass the value through stdin, use the --stdin flag. You can also use --force:

cat /file/containing/setting/value | auditbeat keystore add ES_PWD --stdin --force

List keysedit

To list the keys defined in the keystore, use:

auditbeat keystore list

Remove keysedit

To remove a key from the keystore, use:

auditbeat keystore remove ES_PWD