I am trying to understand how Kibana communicates with ElasticSearch. Does this communication happen b/w the browser and the ElasticSearch server directly (Bypassing the Kibana server) or all Kibana requests go through Kibana server which then pass them on to ElasticSearch.
I am trying to figure out how to implement security around my ElasticSearch & Kibana based servers.
In Kibana3, the browser would talk to elasticsearch directly. Any protection of elasticsearch had to be done via a front-end web server, typically nginx with a bunch of proxy rules to prevent certain actions, etc.
In Kibana4, they realized that having a server would be beneficial, so your browser talks to the kibana server, which talks to elasticsearch.
The "official" way to protect elasticsearch is with "shield", which handles authentication and authorization for actions against the server.
in kibana 5 a request is sent from a web browser to kibana backend(developped using hapi js) then this request will be sent to elasticsearch using elasticsearch plugin wich is one of the kibana core plugins.
Related
Is there any easy way to configure it from Kibana? I have full control of the LogStash server and running Kibana on Elastic cloud
The only possible route I can think of is to create a custom button on Kibana that call a web service, setup a web service on LogStash server that manually start logstash on call
Is there any other way around this?
I'm new to ELK. We have a Spring Boot backend on a dedicated AWS instance. We have ELK stack on another instance (To the outside world only Kibana is available). Information gathering to ELK is carried out via Amazon SQS.
These information include logs and some business history about user (registration, any other action, etc).
In this case, I have a question. Is it possible to get back information by action, by user and use it in the backend responses?
I am guessing you want to use data present in Elasticsearch to be available to spring boot application. It is definitely possible. You will need to open up elasticsearch port on elasticsearch machine to specifically to EC2 instance on which spring boot is running. How to open port will depend on if they are on same vpc, different vpc, different aws account etc. Once port is open, you can either use Spring Data Elasticsearch or just rest calls to access elasticsearch api.
New to Kibana & not an expert in web security. We're trying to build a small startup in which we're leveraging Kibana 5.x for our backoffice analysts for data exploration. This is a webapp and will be accessible over the internet.
Also, X-PACK security (though promising) may not be an option for us purely because of cost.
I''d like to summarize my thoughts and get them validated by professionals out here.
Firstly, I'm thinking of putting Elasticsearch behind a firewall so that only my APP server and Kibana server could access - ES is now secure.
I'm thinking of fronting Kibana using a Reverse Proxy (Apache or Nginx) and apply basic authentication. And everything will be over HTTPS.
I'll only allow GET requests to Kibana through this Reverse Proxy so that the users can read only.
Does this have any gap? Also I'm wondering if Kibana makes a direct call to Elasticsearch from it's Javascript running on the browser? If this is true then we would have another potential backdoor to get to ES. What should be done if this is true.
I have 2 web applications where I am indexing data on elasticsearch in 2 different servers and currently using facetflow.io as an elasticsearch hosting service(I have 2 accounts on facetflow.io).
Now I am configuring an ubuntu server and I want both apps to point to the same ubuntu elasticsearch server and make it serve elasticsearch data for both of my apps python web apps.
What's the best approach:
Is it possible and do I have to run multiple elasticsearch instances
in the ubuntu server?
Configuring the server, do I need multiple
nodes?
Authentication, do I use elasticsearch shield or is there any
other option avaliable for free?
I'm trying to track down who is issuing queries to an ElasticSearch Cluster. Elastic doesn't appear to have an access log.
Is there a place where I can find out which IP is hitting the cluster?
Elasticsearch doesn't provide any security out of the box, and that is on purpose and by design.
So you have a couple solutions out there:
Don't let your ES cluster exposed to the open world, but put it behind a firewall (i.e. whitelist the hosts that can access ports 9200/9300 on your nodes)
Look into the Shield plugin for Elasticsearch in order to secure your environment.
Put an nginx server in front of your cluster to act as a reverse proxy.
Add simple basic authentication with either the elasticsearch-jetty plugin or simply the elasticsearch-http-basic plugin, which also allowws you to whitelist the client IPs that are allowed to access your cluster.
If you want to have access logs, you need either 2 or 3, but all solutions above will allow you to secure your ES environment.