Shield with Logstash
editShield with Logstash
editShield 1.0+ is compatible with Logstash 1.5 and above.
Logstash provides Elasticsearch output, input and filter plugins used to index and retrieve documents through HTTP, transport or client node protocols. All plugins support authentication and encryption over HTTP, while the output plugin additionally supports these features over the transport protocol.
Note: When using the elasticsearch output, only the transport and http protocol are supported (i.e. node protocol is unsupported)
For information on setting up authentication and authorization on the Elasticsearch side, check the corresponding documentation sections: Authorization and Authentication.
To configure the certificates and other SSL related options, see Securing Nodes.
Creating a user
editBy default, the Shield plugin installs a dedicated user role that enables the creation of indices with names
that match the logstash-* regular expression, along with privileges to read, scroll, index, update, and delete
documents on those indices:
logstash:
cluster: indices:admin/template/get, indices:admin/template/put
indices:
'logstash-*': indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index
See the Role Definition File section for information on modifying roles.
Create a user associated with the logstash role on the Elasticsearch cluster, using the esusers tool:
esusers useradd <username> -p <password> -r logstash
When using the transport protocol, the logstash user requires the predefined transport_client role in addition to the logstash role shown above (-r logstash,transport_client).
Once you’ve created the user, you are ready to configure Logstash.
Connecting with HTTP/HTTPS
editAll three input, filter and output plugins support HTTP Basic Authentication as well as SSL/TLS. The sections below demonstrate the output plugin’s configuration parameters, but input and filter are the same.
Basic Authentication
editTo connect to an instance of Elasticsearch with Shield, set up the username and password credentials with the following configuration parameters:
input { ... }
output {
elasticsearch {
protocol => "http"
...
user => ... # string
password => ... # string
}
}
SSL/TLS Configuration for HTTPS
editTo enable SSL/TLS encryption for HTTPS, use the following configuration block:
Connecting with Transport protocol
editBy setting the "protocol" option to "transport", Logstash communicates with the Elasticsearch cluster through the same protocol nodes use between each other. This avoids JSON un/marshalling and is therefore more efficient.
In order to unlock this option, it’s necessary to install an additional plugin in Logstash using the following command:
bin/plugin install logstash-output-elasticsearch-shield
Authentication for Transport protocol
editTo connect to an instance of Elasticsearch with Shield, set up the username and password credentials with the following configuration parameters:
input { ... }
output {
elasticsearch {
protocol => "transport"
...
user => ... # string
password => ... # string
}
}
SSL Configuration for Transport or Node protocols
editSpecify the paths to the keystore and truststore .jks files with the following configuration parameters:
input { ... }
output {
elasticsearch {
protocol => "transport"
host => ... # string (optional)
cluster => ... # string (optional)
...
ssl => true
keystore => ... # string
keystore_password => ... # string
truststore => ... # string
truststore_password => ... # string
}
}
For more information on encryption and certificates, see the Securing Nodes section:
Failures
editLogstash raises an exception that halts the processing pipeline when the server’s certificate does not validate over SSL on any of the protocols discussed in this section. Same for the invalid user credentials.