Secure logstash and elasticsearch
If you use later versions of Logstash with Kibana:
I deploy Kibana into a virtual host in an Apache at /kibana/
and route the Elasticsearch API through a reverse proxy such that is available at /elasticsearch/
:
<Location /elasticsearch/>
ProxyPass http://elasticsearchhost:9200/
ProxyPassReverse /
</Location>
You need to adapt Kibanas config.js to
elasticsearch: "/elasticsearch/",
Then the virtual host can be secured via HTTP Basic Authentication, which applies automatically to both Kibana and the Elasticsearch API.
What still worries me is that the users of Kibana could also use the Elasticsearch API to do nasty things like dropping indizes, shutting down Elasticsearch servers and so forth - for instance with the elasticsearch head. But I don't have a good solution to that problem so far. Probably one could generally allow GETs to /elasticsearch/ since in REST GETs cannot change anything, but other HTTP methods to only specific URLs which are important for Kibana.
Related videos on Youtube
Comments
-
CoBaLt2760 over 1 year
I'm considering running logstash on my prod server (simple install. http://logstash.net/docs/1.1.13/tutorials/getting-started-simple) and set kibana to access logs.
My concern is: how to secure my prod logs (especially elasticsearch which is run by logstash), and restrain access with secure zone or to some ips ?
Thanks for your help on that
-
dawud almost 11 yearsYou can add some rules to your
iptables
. -
CoBaLt2760 almost 11 yearsWhat do you mean ? Authorizing only 9200 port (elasticsearch) to be open to the server IP itself (for kibana apache vhost) ?
-
dawud almost 11 yearsCan you please add more detail to your question with regards to the actual architecture you have planned? (how many servers involved, where will the typical elements of the logstash/kibana stack be deployed), do you already have SELinux, iptables, any other security measure in place?
-
-
hookenz over 6 yearsLink out of date.