Securing Elastic Stack 7.6.1
Elasticsearch, Kibana, & Filebeat
Elasticsearch
Enable X-Pack for security feature on Elastic, open elasticsearch.yml
then add
xpack.license.self_generated.type: basic
xpack.security.enabled: true
Save it and restart Elasticsearch with systemctl restart elasticsearch
, now make password for Elasticsearch built-in users
cd /usr/share/elasticsearch
bin/elasticsearch-setup-passwords interactive
Make sure to remember password for elastic and kibana user, because it’s gonna use for Filebeat and Kibana configuration later.
Generate Certificate Authority (CA) with elasticsearch-certutil
command
bin/elasticsearch-certutil ca
The output is elastic-stack-ca.p12
. Generate certificate for securing communication between node
bin/elasticsearch-certutil cert --ca /path/to/elastic-stack-ca.p12
The output is elastic-certificates.p12
. Change file owner and permission of elastic-certificates.p12
then move it to /etc/elasticsearch
.
chmod 660 /path/to/elastic-certificates.p12
chown root:elasticsearch /path/to/elastic-certificates.p12
mv /path/to/elastic-certificates.p12 /etc/elasticsearch
Open elasticsearch.yml
file, then add
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12
Then save. If you use password for certificate file, then run command
bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password
Restart Elasticsearch with systemctl restart elasticsearch
.
Kibana
Generate certificate for securing communication with Elasticsearch node with elasticsearch-certutil
command
It’s recommended to use Elasticsearch server IP address, when prompt to fill certificate Common Name (CN) and when asked to fill IP address, fill with Elasticsearch server IP address and every other server IP address that Elasticsearch server communicate with.
cd /usr/share/elasticsearch
bin/elasticsearch-certutil http
The output would be a zip that contain certificate for use in Elasticsearch and Kibana. Copy elasticsearh-ca.pem
file in the Kibana folder to Filebeat server, because it’s gonna use for configure secure communication between Filebeat and Elasticsearch.
Open elasticsearch.yml
file, then add
xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/path/to/http.p12"
Save it and if you use password when make certificate, then run command
bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password
Restart Elasticsearch systemctl restart elasticsearch
. Open kibana.yml
then change
elasticsearch.hosts: ["Elasticsearch_IP:9200"]
To
elasticsearch.hosts: ["https://Elasticsearch_IP:9200"]
And add
elasticsearch.ssl.verificationMode: certificate
xpack.monitoring.enabled: false
elasticsearch.ssl.certificateAuthorities: [ "/path/to/elasticsearch-ca.pem" ]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana_password"
Save it. If you wanna encrypt communication between Kibana and browser, then make a certificate with
bin/elasticsearch-certutil ca --pem
The output is certificate and key to use in Kibana. Open kibana.yml
then add
server.ssl.enabled: true
server.ssl.certificate: "/path/to/ca.crt"
server.ssl.key: "/path/to/ca.key"
Save it and restart Kibana with systemctl restart kibana
.
Filebeat
Open filebeat.yml
then change some line at Elasticsearch output section from
hosts: ["Elasticsearch_IP:9200"]
To
hosts: ["https://Elasticsearch_IP:9200"]
And add
ssl.certificate_authorities: ["/path/to/elasticsearch-ca.pem"]
username: "elastic"
password: "elastic_password"
Save it and restart Filebeat with systemctl restart filebeat
.