Secure communication with Elasticsearchedit

To secure the communication between Filebeat and Elasticsearch, you can use HTTPS and basic authentication. Basic authentication for Elasticsearch is available when you enable X-Pack security (see Securing the Elastic Stack and Use X-Pack security). If you aren’t using X-Pack security, you can use a web proxy instead.

Here is a sample configuration:

output.elasticsearch:
  username: filebeat 
  password: verysecret 
  protocol: https 
  hosts: ["elasticsearch.example.com:9200"] 

The username to use for authenticating to Elasticsearch.

The password to use for authenticating to Elasticsearch.

This setting enables the HTTPS protocol.

The IP and port of the Elasticsearch nodes.

Tip

To obfuscate passwords and other sensitive settings, use the secrets keystore.

Filebeat verifies the validity of the server certificates and only accepts trusted certificates. Creating a correct SSL/TLS infrastructure is outside the scope of this document.

By default Filebeat uses the list of trusted certificate authorities from the operating system where Filebeat is running. You can configure Filebeat to use a specific list of CA certificates instead of the list from the OS. You can also configure it to use client authentication by specifying the certificate and key to use when the server requires the Beat to authenticate. Here is an example configuration:

output.elasticsearch:
  username: filebeat
  password: verysecret
  protocol: https
  hosts: ["elasticsearch.example.com:9200"]
  ssl.certificate_authorities: 
    - /etc/pki/my_root_ca.pem
    - /etc/pki/my_other_ca.pem
  ssl.certificate: "/etc/pki/client.pem" 
  ssl.key: "/etc/pki/key.pem" 

The list of CA certificates to trust

The path to the certificate for SSL client authentication

The client certificate key

Note

For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for hosts, or the SSL handshake fails. For example, if you specify hosts: ["foobar:9200"], the certificate MUST include foobar in the subject (CN=foobar) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in /etc/hosts (on Unix) or C:\Windows\System32\drivers\etc\hosts (on Windows).