[TOC]
# Configuring Security in Logstash
> <font color=#DC143C size=4>NOTE</font>:X-Pack特性,暫不翻譯
The Logstash Elasticsearch plugins ( [output](http://www.elastic.co/guide/en/logstash/6.5/plugins-outputs-elasticsearch.html), [input](http://www.elastic.co/guide/en/logstash/6.5/plugins-inputs-elasticsearch.html), [filter](http://www.elastic.co/guide/en/logstash/6.5/plugins-filters-elasticsearch.html) and [monitoring](http://www.elastic.co/guide/en/logstash/6.5/monitoring-logstash.html)) support authentication and encryption over HTTP.
To use Logstash with a secured cluster, you need to configure authentication credentials for Logstash. Logstash throws an exception and the processing pipeline is halted if authentication fails.
If encryption is enabled on the cluster, you also need to enable TLS/SSL in the Logstash configuration.
If you want to monitor your Logstash instance with X-Pack monitoring, and store the monitoring data in a secured Elasticsearch cluster, you must configure Logstash with a username and password for a user with the appropriate permissions.
In addition to configuring authentication credentials for Logstash, you need to grant authorized users permission to access the Logstash indices.
## Configuring Logstash to use Basic Authentication
Logstash needs to be able to manage index templates, create indices, and write and delete documents in the indices it creates.
To set up authentication credentials for Logstash:
1. Create a `logstash_writer` role that has the `manage_index_templates` and `monitor` cluster privileges, and the `write`, `delete`, and `create_index` privileges for the Logstash indices. You can create roles from the **Management > Roles** UI in Kibana or through the `role` API:
```sh
POST _xpack/security/role/logstash_writer
{
"cluster": ["manage_index_templates", "monitor"],
"indices": [
{
"names": [ "logstash-*" ], ①
"privileges": ["write","delete","create_index"]
}
]
}
```
① If you use a custom Logstash index pattern, specify that pattern instead of the default `logstash-*` pattern.
2. Create a `logstash_internal` user and assign it the `logstash_writer` role. You can create users from the **Management > Users** UI in Kibana or through the `user` API:
```sh
POST _xpack/security/user/logstash_internal
{
"password" : "x-pack-test-password",
"roles" : [ "logstash_writer"],
"full_name" : "Internal Logstash User"
}
```
3. Configure Logstash to authenticate as the `logstash_internal` user you just created. You configure credentials separately for each of the Elasticsearch plugins in your Logstash `.conf` file. For example:
```js
input {
elasticsearch {
...
user => logstash_internal
password => x-pack-test-password
}
}
filter {
elasticsearch {
...
user => logstash_internal
password => x-pack-test-password
}
}
output {
elasticsearch {
...
user => logstash_internal
password => x-pack-test-password
}
}
```
## Granting Users Access to the Logstash Indices
1. Create a `logstash_reader` role that has the `read` and `view_index_metadata` privileges for the Logstash indices. You can create roles from the **Management > Roles** UI in Kibana or through the `role` API:
```sh
POST _xpack/security/role/logstash_reader
{
"indices": [
{
"names": [ "logstash-*" ], ①
"privileges": ["read","view_index_metadata"]
}
]
}
```
① If you use a custom Logstash index pattern, specify that pattern
instead of the default `logstash-*` pattern.
2. Assign your Logstash users the `logstash_reader` role. If the Logstash user will be using [centralized pipeline management](http://www.elastic.co/guide/en/logstash/6.5/logstash-centralized-pipeline-management.html), also assign the `logstash_admin` role. You can create and manage users from the **Management > Users** UI in Kibana or through the `user` API:
```sh
POST _xpack/security/user/logstash_user
{
"password" : "x-pack-test-password",
"roles" : [ "logstash_reader", "logstash_admin"],
"full_name" : "Kibana User for Logstash"
}
```
① `logstash_admin` is a built-in role that provides access to `.logstash-*`
indices for managing configurations.
## Configuring the Elasticsearch Output to use PKI Authentication
The `elasticsearch` output supports PKI authentication. To use an X.509 client-certificate for authentication, you configure the `keystore` and `keystore_password` options in your Logstash `.conf` file:
```js
output {
elasticsearch {
...
keystore => /path/to/keystore.jks
keystore_password => realpassword
truststore => /path/to/truststore.jks ①
truststore_password => realpassword
}
}
```
① If you use a separate truststore, the truststore path and password are also required.
## Configuring Logstash to use TLS Encryption
If TLS encryption is enabled on the Elasticsearch cluster, you need to configure the `ssl` and `cacert` options in your Logstash `.conf` file:
```js
output {
elasticsearch {
...
ssl => true
cacert => '/path/to/cert.pem' ①
}
}
```
① The path to the local `.pem` file that contains the Certificate
Authority’s certificate.
## Configuring Credentials for Logstash Monitoring
If you plan to ship Logstash [monitoring](http://www.elastic.co/guide/en/logstash/6.5/monitoring-logstash.html) data to a secure cluster, you need to configure the username and password that Logstash uses to authenticate for shipping monitoring data.
X-Pack security comes preconfigured with a [`logstash_system` built-in user](https://www.elastic.co/guide/en/elastic-stack-overview/6.5/built-in-users.html) for this purpose. This user has the minimum permissions necessary for the monitoring function, and *should not* be used for any other purpose - it is specifically *not intended* for use within a Logstash pipeline.
By default, the `logstash_system` user does not have a password. The user will not be enabled until you set a password. Set the password through the change password API:
```js
PUT _xpack/security/user/logstash_system/_password
{
"password": "t0p.s3cr3t"
}
```
Copy as cURL[View in Console](http://localhost:5601/app/kibana#/dev_tools/console?load_from=https://www.elastic.co/guide/en/logstash/6.5/snippets/ls-security/1.json)
Then configure the user and password in the `logstash.yml` configuration file:
```yaml
xpack.monitoring.elasticsearch.username: logstash_system
xpack.monitoring.elasticsearch.password: t0p.s3cr3t
```
If you initially installed an older version of X-Pack, and then upgraded, the `logstash_system` user may have defaulted to `disabled` for security reasons. You can enable the user through the `user` API:
```js
PUT _xpack/security/user/logstash_system/_enable
```
## Configuring Credentials for Centralized Pipeline Management
If you plan to use Logstash [centralized pipeline management](http://www.elastic.co/guide/en/logstash/6.5/logstash-centralized-pipeline-management.html), you need to configure the username and password that Logstash uses for managing configurations.
You configure the user and password in the `logstash.yml` configuration file:
```yaml
xpack.management.elasticsearch.username: logstash_admin_user ①
xpack.management.elasticsearch.password: t0p.s3cr3t
```
① The user you specify here must have the built-in `logstash_admin` role as
well as the `logstash_writer` role that you created earlier.
- Emmm
- Logstash簡介
- 開始使用Logstash
- 安裝Logstash
- 儲存你的第一個事件
- 通過Logstash解析日志
- 多個輸入和輸出插件的混合使用
- Logstash是如何工作的
- 執行模型Execution Model
- 設置并運行Logstash
- Logstash目錄布局
- Logstash配置文件
- logstash.yml
- Secrets keystore for secure settings
- 從命令行運行Logstash
- 以服務的方式運行Logstash
- 在Docker中運行Logstash
- 配置容器版Logstash
- Logging
- 關閉Logstash
- 安裝X-Pack
- 設置X-Pack
- 升級Logstash
- 使用包管理升級
- 直接下載進行升級
- 升級至6.0
- Upgrading with the Persistent Queue Enabled
- 配置Logstash
- 管道配置文件的結構
- 訪問配置中的事件數據和字段
- 在配置中使用環境變量
- Logstash配置示例
- 多管道
- 管道間通信(beta)
- 重載配置文件
- 管理多行事件
- Glob Pattern Support
- Converting Ingest Node Pipelines
- Logstash間通信
- 配置集中式管道管理
- X-Pack Monitoring
- X-Pack Security
- X-Pack Settings
- Field References Deep Dive(深入字段引用)
- 管理Logstash
- 集中式管道管理
- 使用Logstash模塊
- 使用Elastic Cloud
- Logstash ArcSight模塊