- Heartbeat Reference: other versions:
- Heartbeat overview
- Quick start: installation and configuration
- Set up and run
- Configure
- Monitors
- Task scheduler
- General settings
- Project paths
- Output
- Kerberos
- SSL
- Index lifecycle management (ILM)
- Elasticsearch index template
- Processors
- Define processors
- add_cloud_metadata
- add_cloudfoundry_metadata
- add_docker_metadata
- add_fields
- add_host_metadata
- add_id
- add_kubernetes_metadata
- add_labels
- add_locale
- add_network_direction
- add_nomad_metadata
- add_observer_metadata
- add_process_metadata
- add_tags
- append
- community_id
- convert
- copy_fields
- decode_base64_field
- decode_duration
- decode_json_fields
- decode_xml
- decode_xml_wineventlog
- decompress_gzip_field
- detect_mime_type
- dissect
- dns
- drop_event
- drop_fields
- extract_array
- fingerprint
- include_fields
- move_fields
- rate_limit
- registered_domain
- rename
- replace
- script
- syslog
- translate_sid
- truncate_fields
- urldecode
- Autodiscover
- Internal queue
- Logging
- HTTP endpoint
- Regular expression support
- Instrumentation
- Feature flags
- heartbeat.reference.yml
- How to guides
- Exported fields
- Beat fields
- Synthetics browser metrics fields
- Cloud provider metadata fields
- Common heartbeat monitor fields
- Docker fields
- ECS fields
- Host fields
- HTTP monitor fields
- ICMP fields
- Jolokia Discovery autodiscover provider fields
- Kubernetes fields
- Process fields
- Host lookup fields
- APM Service fields
- SOCKS5 proxy fields
- Monitor state fields
- Monitor summary fields
- Synthetics types fields
- TCP layer fields
- TLS encryption layer fields
- Monitor
- Secure
- Troubleshoot
- Get help
- Debug
- Understand logged metrics
- Common problems
- Heartbeat uses too much bandwidth
- Error loading config file
- Found unexpected or unknown characters
- Logstash connection doesn’t work
- Publishing to Logstash fails with "connection reset by peer" message
- @metadata is missing in Logstash
- Not sure whether to use Logstash or Beats
- SSL client fails to connect to Logstash
- Monitoring UI shows fewer Beats than expected
- High RSS memory usage due to MADV settings
- Contribute to Beats
Secure communication with Elasticsearch
editSecure communication with Elasticsearch
editWhen sending data to a secured cluster through the elasticsearch
output, Heartbeat can use any of the following authentication methods:
- Basic authentication credentials (username and password).
- Token-based API authentication.
- A client certificate.
Authentication is specified in the Heartbeat configuration file:
-
To use basic authentication, specify the
username
andpassword
settings underoutput.elasticsearch
. For example:output.elasticsearch: hosts: ["https://myEShost:9200"] username: "heartbeat_writer" password: "YOUR_PASSWORD"
This user needs the privileges required to publish events to Elasticsearch. To create a user like this, see Create a publishing user.
This example shows a hard-coded password, but you should store sensitive values in the secrets keystore.
-
To use token-based API key authentication, specify the
api_key
underoutput.elasticsearch
. For example:output.elasticsearch: hosts: ["https://myEShost:9200"] api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA"
This API key must have the privileges required to publish events to Elasticsearch. To create an API key like this, see Grant access using API keys.
-
To use Public Key Infrastructure (PKI) certificates to authenticate users, specify the
certificate
andkey
settings underoutput.elasticsearch
. For example:output.elasticsearch: hosts: ["https://myEShost:9200"] ssl.certificate: "/etc/pki/client/cert.pem" ssl.key: "/etc/pki/client/cert.key"
These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the
role_mapping.yml
file on each node in the Elasticsearch cluster. For more information, see Using role mapping files.By default, Heartbeat uses the list of trusted certificate authorities (CA) from the operating system where Heartbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the
.pem
file that contains your CA’s certificate to the Heartbeat configuration. This will configure Heartbeat to use a specific list of CA certificates instead of the default list from the OS.Here is an example configuration:
output.elasticsearch: hosts: ["https://myEShost:9200"] ssl.certificate_authorities: - /etc/pki/my_root_ca.pem - /etc/pki/my_other_ca.pem ssl.certificate: "/etc/pki/client.pem" ssl.key: "/etc/pki/key.pem"
Specify the path to the local
.pem
file that contains your Certificate Authority’s certificate. This is needed if you use your own CA to sign your node certificates.The path to the certificate for SSL client authentication
The client certificate key
For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for
hosts
, or the SSL handshake fails. For example, if you specifyhosts: ["foobar:9200"]
, the certificate MUST includefoobar
in the subject (CN=foobar
) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in/etc/hosts
(on Unix) orC:\Windows\System32\drivers\etc\hosts
(on Windows).
Learn more about secure communication
editMore information on sending data to a secured cluster is available in the configuration reference:
On this page