How to hide credentials in logstash configuration files?
logstash 6.2 let you protect credentials with the keystore.
Let’s see how to use logstash-keystore?
e.g. In the following, we will hide the ‘changeme’ password from the elasticsearch output of your logstash pipeline config file.
To create a logstash.keystore
file, open a terminal window and type the following commands
./bin/logstash-keystore create
./bin/logstash-keystore add es_password
ℹ️ the default directory is the same directory as the logstash.yml settings file.
./bin/logstash-keystore list
should show you es_password
as answser.
📌 The option -path.settings
will set the directory for the keystore. (e.g. bin/logstash-keystore --path.settings /etc/logstash/.keystore create
). The keystore must be located in Logstash’s path.settings directory.
📌 When you run Logstash from an RPM or DEB package installation, the environment variables are sourced from /etc/sysconfig/logstash. You might need to create /etc/sysconfig/logstash
; Please keep in mind that this file should be owned by root with 600 permissions.
# use es_password in the pipeline:
output {
elasticsearch {
hosts => …
user => “elastic”
password => “${es_password}”
}
}
ℹ️ you can set the environment variable LOGSTASH_KEYSTORE_PASS
to act as the keystore password.
Documentation
➡️ Official guide – logstash-keystore
To get help with the cli, simply use: $ ./bin/logstash-keystore help