This functionality is experimental and may be changed or removed completely in a future release. Elastic will take a best effort approach to fix any issues, but experimental features are not subject to the support SLA of official GA features.
NOTE: This You are looking at documentation for an older release. For the latest information, see the current release documentation.
When you configure Journalbeat, you might need to specify sensitive settings, such as passwords. Rather than relying on file system permissions to protect these values, you can use the Journalbeat keystore to securely store secret values for use in configuration settings.
After adding a key and its secret value to the keystore, you can use the key in place of the secret value when you configure sensitive settings.
The syntax for referencing keys is identical to the syntax for environment variables:
Where KEY is the name of the key.
For example, imagine that the keystore contains a key called
ES_PWD with the
In the configuration file, use
On the command line, use:
When Journalbeat unpacks the configuration, it resolves keys before resolving environment variables and other variables.
Notice that the Journalbeat keystore differs from the Elasticsearch keystore.
Whereas the Elasticsearch keystore lets you store
elasticsearch.yml values by
name, the Journalbeat keystore lets you specify arbitrary names that you can
reference in the Journalbeat configuration.
To create and manage keys, use the
keystore command. See the
command reference for the full command syntax, including
keystore command must be run by the same user who will run
Create a keystoreedit
To create a secrets keystore, use:
journalbeat keystore create
Journalbeat creates the keystore in the directory defined by the
To store sensitive values, such as authentication credentials for Elasticsearch,
keystore add command:
journalbeat keystore add ES_PWD
When prompted, enter a value for the key.
To overwrite an existing key’s value, use the
journalbeat keystore add ES_PWD --force
To pass the value through stdin, use the
--stdin flag. You can also use
cat /file/containing/setting/value | journalbeat keystore add ES_PWD --stdin --force
To list the keys defined in the keystore, use:
journalbeat keystore list
To remove a key from the keystore, use:
journalbeat keystore remove ES_PWD