How to hide credentials in logstash configuration files?

2018-03-27-logstash-keystore-blog

How to hide credentials in logstash configuration files?

logstash 6.2 let you protect credentials with the keystore.

Let’s see how to use logstash-keystore?

e.g. In the following, we will hide the ‘changeme’ password from the elasticsearch output of your logstash pipeline config file.

To create a logstash.keystorefile, open a terminal window and type the following commands

./bin/logstash-keystore create
./bin/logstash-keystore add es_password

ℹ️ the default directory is the same directory as the logstash.yml settings file.

./bin/logstash-keystore list should show you es_password as answser.

📌 The option -path.settings will set the directory for the keystore. (e.g. bin/logstash-keystore --path.settings /etc/logstash/.keystore create). The keystore must be located in Logstash’s path.settings directory.

📌 When you run Logstash from an RPM or DEB package installation, the environment variables are sourced from /etc/sysconfig/logstash. You might need to create /etc/sysconfig/logstash ; Please keep in mind that this file should be owned by root with 600 permissions.

# use es_password in the pipeline:
output {
	elasticsearch {
		hosts => …
		user => “elastic”
		password => “${es_password}”
	}
}

ℹ️ you can set the environment variable LOGSTASH_KEYSTORE_PASS to act as the keystore password.

Documentation

➡️ Official guide – logstash-keystore

To get help with the cli, simply use: $ ./bin/logstash-keystore help

Kibana – Setup log rotation

2018-02-05-elk-kibana-log-rotation

:information_source: In this document we will see how to properly setup a log rotation for kibana. The e.g. is based on CentOS7 but can be easily adapt for ubuntu or any other linux distribution.

Documentation

  • Kibana doesn’t handle log rotation, but it is built to work with an external process that rotates logs, such as logrotate.
  • The logrotate utility is designed to simplify the administration of log files on a system which generates a lot of log files. Logrotate allows for the automatic rotation compression, removal and mailing of log files. Logrotate can be set to handle a log file daily, weekly, monthly or when the log file gets to a certain size.
  • Logrotate can be installed with the logrotate package. It is installed by default and runs daily.
  • The primary configuration file for logrotate is /etc/logrotate.conf; additional configuration files are included from the /etc/logrotate.d directory.

Prerequisites

kibana

  • Have the following elements (pid.file AND logging.dest) setup in the kibana.yaml configuration file
    server.port: 5601
    server.host: "${KIBANA_SRV}"
    elasticsearch.url: "http://${ES_SRV}:9200"
    kibana.index: ".kibana"
    pid.file: /var/run/kibana/kibana.pid
    logging.dest: /var/log/kibana/kibana.log
    
  • :warning: verify if kibana is well authorised to create /var/log/kibana.log file.
    $ mkdir -p /var/log/kibana/ && chown -R kibana:kibana /var/log/kibana/
    $ mkdir -p /var/run/kibana/ && chown -R kibana:kibana /var/run/kibana/
    

logrotate

verify that logrotate is properly installed

$ logrotate --version
    logrotate 3.8.6

verify that logrotate configuration include the logrotate.d directory

$ cat /etc/logrotate.conf
  . . .
  include /etc/logrotate.d

Configuration

logrotate file

We will create a new logrotate configuration for kibana

$ cat << EOF > /etc/logrotate.d/elk-kibana
/var/log/kibana/*.log {
  missingok
  daily
  size 10M
  create 0644 kibana kibana
  rotate 7
  notifempty
  sharedscripts
  notifempty
  compress
  postrotate
    /bin/kill -HUP $(cat /var/run/kibana/kibana.pid 2>/dev/null) 2>/dev/null
  endscript
}
EOF

Verify your file syntax with the following command

logrotate -vd /etc/logrotate.d/elk-kibana

If you didn’t get any error, you can manually start the first rotation with

logrotate -vf /etc/logrotate.d/elk-kibana

Crontab file

If the ligne include /etc/logrotate.d is well present in /etc/logrotate.conf and logrotate.conf present in /etc/cron.daily/logrotate you don’t need to do any more setup.

grep "logrotate.conf" /etc/cron.daily/logrotate
    /usr/sbin/logrotate -s /var/lib/logrotate/logrotate.status /etc/logrotate.conf

 

Happy logs rotation! 
G.

Contact Us