[[logstash]] === Shield with Logstash IMPORTANT: Shield 2.0.x is compatible with Logstash 1.5 and above. Logstash provides Elasticsearch https://www.elastic.co/guide/en/logstash/current/plugins-outputs-elasticsearch.html[output], https://www.elastic.co/guide/en/logstash/current/plugins-inputs-elasticsearch.html[input] and https://www.elastic.co/guide/en/logstash/current/plugins-filters-elasticsearch.html[filter] plugins used to index and retrieve documents through HTTP, transport or client node protocols. All plugins support authentication and encryption over HTTP, while the output plugin additionally supports these features over the transport protocol. Note: When using the elasticsearch output, only the `transport` and `http` protocol are supported (i.e. `node` protocol is unsupported) For information on setting up authentication and authorization on the Elasticsearch side, check the corresponding documentation sections: <> and <>. To configure the certificates and other SSL related options, see <>. [[ls-user]] ==== Creating a user By default, the Shield plugin installs a dedicated user <> that enables the creation of indices with names that match the `logstash-*` regular expression, along with privileges to read, scroll, index, update, and delete documents on those indices: [source,yaml] -------------------------------------------------------------------------------------------- logstash: cluster: indices:admin/template/get, indices:admin/template/put indices: 'logstash-*': indices:data/write/bulk, indices:data/write/delete, indices:data/write/update, indices:data/read/search, indices:data/read/scroll, create_index -------------------------------------------------------------------------------------------- See the <> section for information on modifying roles. Create a user associated with the `logstash` role on the Elasticsearch cluster, using the <>: [source,shell] -------------------------------------------------- esusers useradd -p -r logstash -------------------------------------------------- NOTE: When using the transport protocol, the logstash user requires the predefined `transport_client` role in addition to the `logstash` role shown above (`-r logstash,transport_client`). Once you've created the user, you are ready to configure Logstash. [[ls-http]] ==== Connecting with HTTP/HTTPS All three input, filter and output plugins support HTTP Basic Authentication as well as SSL/TLS. The sections below demonstrate the output plugin's configuration parameters, but input and filter are the same. [[ls-http-auth]] ===== Basic Authentication To connect to an instance of Elasticsearch with Shield, set up the username and password credentials with the following configuration parameters: [source, shell] -------------------------------------------------- input { ... } output { elasticsearch { protocol => "http" ... user => ... # string password => ... # string } } -------------------------------------------------- [[ls-http-ssl]] ===== SSL/TLS Configuration for HTTPS To enable SSL/TLS encryption for HTTPS, use the following configuration block: [source, shell] -------------------------------------------------- input { ... } output { elasticsearch { protocol => "http" ... ssl => true cacert => '/path/to/cert.pem' <1> } } -------------------------------------------------- <1> The path to the `.pem` file in your filesystem that contains the Certificate Authority's certificate. [[ls-transport]] ==== Connecting with Transport protocol By setting the "protocol" option to "transport", Logstash communicates with the Elasticsearch cluster through the same protocol nodes use between each other. This avoids JSON un/marshalling and is therefore more efficient. In order to unlock this option, it's necessary to install an additional plugin in Logstash using the following command: [source, shell] -------------------------------------------------- bin/plugin install logstash-output-elasticsearch-shield -------------------------------------------------- [[ls-transport-auth]] ===== Authentication for Transport protocol Transport protocol supports both basic auth and client-certificate authentication through the use of Public Key Infrastructure (PKI). [[ls-transport-auth-basic]] ===== Basic Authentication To connect to an instance of Elasticsearch with Shield using basic auth, set up the username and password credentials with the following configuration parameters: [source, shell] -------------------------------------------------- input { ... } output { elasticsearch { protocol => "transport" ... user => ... # string password => ... # string } } -------------------------------------------------- [[ls-transport-auth-pki]] ===== PKI Authentication To connect to an instance of Elasticsearch with Shield using client-certificate authentication you need to setup the keystore path which contain the client's certificate and the keystore password in the configuration: [source, shell] -------------------------------------------------- input { ... } output { elasticsearch { protocol => "transport" ... ssl => true keystore => ... # string keystore_password => ... # string } } -------------------------------------------------- [[ls-transport-conf]] ===== SSL Configuration for Transport or Node protocols Specify the paths to the keystore and truststore `.jks` files with the following configuration parameters: [source, shell] -------------------------------------------------- input { ... } output { elasticsearch { protocol => "transport" host => ... # string (optional) cluster => ... # string (optional) ... ssl => true keystore => ... # string keystore_password => ... # string truststore => ... # string truststore_password => ... # string } } -------------------------------------------------- For more information on encryption and certificates, see the <> section: [[ls-failure]] ==== Failures Logstash raises an exception that halts the processing pipeline when the server's certificate does not validate over SSL on any of the protocols discussed in this section. Same for the invalid user credentials.