Securing Elastic Stack 7.6.1

Elasticsearch, Kibana, & Filebeat

Elasticsearch

Enable X-Pack for security feature on Elastic, open elasticsearch.yml then add

xpack.license.self_generated.type: basic
xpack.security.enabled: true

Save it and restart Elasticsearch with systemctl restart elasticsearch, now make password for Elasticsearch built-in users

cd /usr/share/elasticsearch
bin/elasticsearch-setup-passwords interactive

Make sure to remember password for elastic and kibana user, because it’s gonna use for Filebeat and Kibana configuration later.

Generate Certificate Authority (CA) with elasticsearch-certutil command

bin/elasticsearch-certutil ca

The output is elastic-stack-ca.p12. Generate certificate for securing communication between node

bin/elasticsearch-certutil cert --ca /path/to/elastic-stack-ca.p12

The output is elastic-certificates.p12. Change file owner and permission of elastic-certificates.p12 then move it to /etc/elasticsearch.

chmod 660 /path/to/elastic-certificates.p12
chown root:elasticsearch /path/to/elastic-certificates.p12
mv /path/to/elastic-certificates.p12 /etc/elasticsearch

Open elasticsearch.yml file, then add

xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate 
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12 
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

Then save. If you use password for certificate file, then run command

bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

Restart Elasticsearch with systemctl restart elasticsearch.

Kibana

Generate certificate for securing communication with Elasticsearch node with elasticsearch-certutil command

It’s recommended to use Elasticsearch server IP address, when prompt to fill certificate Common Name (CN) and when asked to fill IP address, fill with Elasticsearch server IP address and every other server IP address that Elasticsearch server communicate with.

cd /usr/share/elasticsearch
bin/elasticsearch-certutil http

The output would be a zip that contain certificate for use in Elasticsearch and Kibana. Copy elasticsearh-ca.pem file in the Kibana folder to Filebeat server, because it’s gonna use for configure secure communication between Filebeat and Elasticsearch.

Open elasticsearch.yml file, then add

xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "/path/to/http.p12"

Save it and if you use password when make certificate, then run command

bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password

Restart Elasticsearch systemctl restart elasticsearch. Open kibana.yml then change

elasticsearch.hosts: ["Elasticsearch_IP:9200"]

To

elasticsearch.hosts: ["https://Elasticsearch_IP:9200"]

And add

elasticsearch.ssl.verificationMode: certificate
xpack.monitoring.enabled: false
elasticsearch.ssl.certificateAuthorities: [ "/path/to/elasticsearch-ca.pem" ]
elasticsearch.username: "kibana"
elasticsearch.password: "kibana_password"

Save it. If you wanna encrypt communication between Kibana and browser, then make a certificate with

bin/elasticsearch-certutil ca --pem

The output is certificate and key to use in Kibana. Open kibana.yml then add

server.ssl.enabled: true
server.ssl.certificate: "/path/to/ca.crt"
server.ssl.key: "/path/to/ca.key"

Save it and restart Kibana with systemctl restart kibana.

Filebeat

Open filebeat.yml then change some line at Elasticsearch output section from

hosts: ["Elasticsearch_IP:9200"]

To

hosts: ["https://Elasticsearch_IP:9200"]

And add

ssl.certificate_authorities: ["/path/to/elasticsearch-ca.pem"]
username: "elastic"
password: "elastic_password"

Save it and restart Filebeat with systemctl restart filebeat.