Getting Logstash to talk to Elastic Search with HTTPS + Basic auth - elasticsearch

I have Elastic Search as part of the ELMA appliance. This appliance presents ES via HTTPS protected by basic auth. I have Logstash running on a separate machine. This Logstash needs to send log data to ES. What is the right output configuration to use?
Thanks for any pointers.
-Raj

there is an option in new version:
http://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html#plugins-outputs-elasticsearch-password
ssledit
Value type is boolean
Default value is false
SSL Configurations (HTTP only)
Enable SSL

Looks like Logstash's elasticsearch_http module does not support SSL, or does not handle self-signed certs. My solution was to disable SSL on the ElasticSearch httpd conf entry in the ELMA appliance.

Related

secure Kibana and elasticsearch using SSL / TLS

Thanks for taking the time to read this :)
My web app (grimoirelab) contains multiple services spun up using docker-compose which contains elasticsearch and kibana . Port 5601 (kibana) is open and accessible through the web.
I want to enable SSL / TLS in the Kibana container , i.e , change the URL from http to https
Kibana and Elasticsearch are both of Version : 6.8.6
I have very less experience in web security so would really appreciate any guidance on the same...
You can follow this elasticsearch documentation for configuration of SSL and TLS, and it is available as free after 6.8 version.
Please check Configuring SSL, TLS, and HTTPS to secure Elasticsearch, Kibana, Beats, and Logstash blog.
Please check this documentation for how to setup SSL and TLS with Elasticsearch Docker Container.

Failed to setup Alerts and Actions for ELK - You must enable Transport Layer Security

Am trying to setup the Alert and Actions for ELK. But, getting the error message
You must enable Transport Layer Security.
Have already set up the following parameter in the kibana.yml. As followed:
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
Pls advise.
Thanks
enter image description here
xpack.encryptedSavedObjects.encryptionKey: "abcdefghijklmnopqrstuvwxyz1234567890"
With only this, you don't enable the transport layer security.
There are two more steps you need to do.
Enable security in Kibana and Elasticsearch. (Relatively easy!)
Encrypt traffic between them. (You might need to get your org-specific certificates if you are not using Self signed1)
When you use the basic and trial licenses ,
Set xpack.security.enabled: true and discovery.type: single-node in elasticsearch.yml file
https://www.elastic.co/guide/en/elasticsearch/reference/6.8/get-started-enable-security.html
and then xpack.encryptedSavedObjects.encryptionKey : A string of 32 or more characters in kibana.yml
https://www.elastic.co/guide/en/kibana/7.16/alert-action-settings-kb.html#general-alert-action-settings
After updating the config file please restart the elastic and kibana .

How to expose my Elastic Search server to the internet?

I've done installed my ElasticSearch (ES) Server on a VPS Centos. I did test the ES inside the Server and it response correctly.
My next step, is to allow my website which is host on a different web host to access and index its data content into my ES server.
My question is, what is the recommended way of exposed the ES to the internet, so my website can access to it to perform index and search? Is there's authentication method that I need to install ?
You need to include network.host:0.0.0.0 in your elasticsearch.yml file so that it listens on the non-loopback address and after that, if your app-server and ES are both in the same VPC, app-server will be able to connect to ES(provided if you exposed 9200 port in security group(in case of AWS).
And hopefully, your app-server port is exposed to the internet which internally connects to ES, you should not expose 9200 port of ES or Elasticsearch to the internet.
If you want an extra layer of security, you can enable x-pack basic which is included in the free tier and can be enabled using xpack.security.enabled: true in elasticsearch.config.
Refer x-pack features and configuration for more info.

How to allow requests to elasticsearch only from a list of ips/domains

I read the docs, but I couldn't make it work.
I have a server that holds elasticsearch and external ones that query it. Until now I can access the elasticsearch from any ip.
Example:
the public ip:port of elasticsearchserver: 123.123.123.123:9200
I have the domains: anothersocialnetwork.com and anothersocialnetwork2.com
and I want only them and localhost to be able to query the elasticsearch server.
Thank you alot
There are multiple way to achieve this. The one i would like to advice is as follows -
Run Elasticsearch in localhost interface by network.host as localhost in elasticsearch.yml file.
Now only applications in localhost can access the application
Place a proxy like nginx or apache and this proxy would be able to access elasticsearch. Now whitelist the IP's you want to access Elasticsearch in the proxy.
Also you can take a look at Elasticsearch jetty plugin. It has some security configurations along with it. But i am not sure if its actively developed.
Also on security Elasticsearch , i would recommend to go through this blog.

How to disable elasticsearch http module?

The default value of "http.enabled" option in elasticsearch's configuration file is true which means that we can search and admin the cluster from http command, for example:DELETE /index_* request can delete all indexes. But this is not safe when deployment the service to the production environment. How can I fix this problem?
You can either implement shield - this is free if you are paying for one of the Elasticsearch support packages.
Or implement a reverse proxy which checks each request and the user running the request, for example nginx.

Resources