Logstash and Security

The Logstash Elasticsearch plugins ( output, input, filter and monitoring support authentication and encryption over HTTP.

To use Logstash with a secured cluster, you need to configure authentication credentials for Logstash. Logstash throws an exception and the processing pipeline is halted if authentication fails.

If encryption is enabled on the cluster, you also need to enable SSL in the Logstash configuration.

If you wish to monitor your logstash instance with x-pack monitoring, and store the monitoring data in a secured elasticsearch cluster, you must configure Logstash with a username and password for a user with the appropriate permissions.

In addition to configuring authentication credentials for Logstash, you need to grant authorized users permission to access the Logstash indices.

Configuring Logstash to use Basic Authentication

Logstash needs to be able to manage index templates, create indices, and write and delete documents in the indices it creates.

To set up authentication credentials for Logstash:

  1. Create a logstash_writer role that has the manage_index_templates cluster privilege, and the write, delete, and create_index privileges for the Logstash indices. You can create roles from the Management > Roles UI in Kibana or through the role API:

    POST _xpack/security/role/logstash_writer
    {
      "cluster": ["manage_index_templates", "monitor"],
      "indices": [
        {
          "names": [ "logstash-*" ], 
          "privileges": ["write","delete","create_index"]
        }
      ]
    }

    If you use a custom Logstash index pattern, specify that pattern instead of the default logstash-* pattern.

  2. Create a logstash_internal user and assign it the logstash_writer role. You can create users from the Management > Users UI in Kibana or through the user API:

    POST _xpack/security/user/logstash_internal
    {
      "password" : "changeme",
      "roles" : [ "logstash_writer"],
      "full_name" : "Internal Logstash User"
    }
  3. Configure Logstash to authenticate as the logstash_internal user you just created. You configure credentials separately for each of the Elasticsearch plugins in your Logstash .conf file. For example:

    input {
      elasticsearch {
        ...
        user => logstash_internal
        password => changeme
      }
    }
    filter {
      elasticsearch {
        ...
        user => logstash_internal
        password => changeme
      }
    }
    output {
      elasticsearch {
        ...
        user => logstash_internal
        password => changeme
      }
    }

Granting Users Access to the Logstash Indices

To access the indices Logstash creates, users need the read and view_index_metadata privileges:

  1. Create a logstash_reader role that has the read and `view_index_metadata privileges for the Logstash indices. You can create roles from the Management > Roles UI in Kibana or through the role API:

    POST _xpack/security/role/logstash_reader
    {
      "indices": [
        {
          "names": [ "logstash-*" ], 
          "privileges": ["read","view_index_metadata"]
        }
      ]
    }

    If you use a custom Logstash index pattern, specify that pattern instead of the default logstash-* pattern.

  2. Assign your Logstash users the logstash_reader role. You can create and manage users from the Management > Users UI in Kibana or through the user API:

    POST _xpack/security/user/logstash_user
    {
      "password" : "changeme",
      "roles" : [ "logstash_reader"],
      "full_name" : "Kibana User"
    }
Configuring the elasticsearch Output to use PKI Authentication

The elasticsearch output supports PKI authentication. To use an X.509 client-certificate for authentication, you configure the keystore and keystore_password options in your Logstash .conf file:

output {
  elasticsearch {
    ...
    keystore => /path/to/keystore.jks
    keystore_password => realpassword
    truststore =>  /path/to/truststore.jks 
    truststore_password =>  realpassword
  }
}

If you use a separate truststore, the truststore path and password are also required.

Configuring Logstash to use TLS Encryption

If TLS encryption is enabled on the Elasticsearch cluster, you need to configure the ssl and cacert options in your Logstash .conf file:

output {
  elasticsearch {
    ...
    ssl => true
    cacert => '/path/to/cert.pem' 
  }
}

The path to the local .pem file that contains the Certificate Authority’s certificate.

Configuring Logstash Monitoring

If you wish to ship Logstash monitoring data to a secure cluster, Logstash must be configured with a username and password.

X-Pack security comes preconfigured with a logstash_system user for this purpose. This user has the minimum permissions necessary for the monitoring function, and should not be used for any other purpose - it is specifically not intended for use within a Logstash pipeline.

By default, the logstash_system user password is set to changeme. Change this password through the reset password API:

PUT _xpack/security/user/logstash_system/_password
{
  "password": "t0p.s3cr3t"
}

Then configure the user and password in your logstash.yml configuration file:

xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: t0p.s3cr3t

If you initially installed an older version of X-Pack, and then upgraded, then the logstash_system user may have defaulted to disabled for security reasons. You can enable the user with the following API call:

PUT _xpack/security/user/logstash_system/_enable