7

I'm considering running logstash on my prod server (simple install. http://logstash.net/docs/1.1.13/tutorials/getting-started-simple) and set kibana to access logs.

My concern is: how to secure my prod logs (especially elasticsearch which is run by logstash), and restrain access with secure zone or to some ips ?

Thanks for your help on that

CoBaLt2760
  • 193
  • 1
  • 7
  • 1
    You can add some rules to your `iptables`. – dawud Jul 05 '13 at 17:41
  • What do you mean ? Authorizing only 9200 port (elasticsearch) to be open to the server IP itself (for kibana apache vhost) ? – CoBaLt2760 Jul 05 '13 at 20:55
  • Can you please add more detail to your question with regards to the actual architecture you have planned? (how many servers involved, where will the typical elements of the logstash/kibana stack be deployed), do you already have SELinux, iptables, any other security measure in place? – dawud Jul 05 '13 at 21:19

3 Answers3

4

If you use later versions of Logstash with Kibana:

I deploy Kibana into a virtual host in an Apache at /kibana/ and route the Elasticsearch API through a reverse proxy such that is available at /elasticsearch/:

<Location /elasticsearch/>
    ProxyPass http://elasticsearchhost:9200/
    ProxyPassReverse /
</Location>

You need to adapt Kibanas config.js to

elasticsearch: "/elasticsearch/",

Then the virtual host can be secured via HTTP Basic Authentication, which applies automatically to both Kibana and the Elasticsearch API.

What still worries me is that the users of Kibana could also use the Elasticsearch API to do nasty things like dropping indizes, shutting down Elasticsearch servers and so forth - for instance with the elasticsearch head. But I don't have a good solution to that problem so far. Probably one could generally allow GETs to /elasticsearch/ since in REST GETs cannot change anything, but other HTTP methods to only specific URLs which are important for Kibana.

0

In my environment, I bind elasticsearch to an openvpn interface.

In /etc/elasticsearch/elasticsearch.yml:

network.host: 172.16.xxx.xxx

Where 172.16.xxx.xxx is the IP address assigned to the server by openvpn.

Dan Garthwaite
  • 2,922
  • 18
  • 29
-1

with an nginx like it saids here:

How do I secure this? I don't want to leave 9200 open. A: A simple nginx virtual host and proxy configuration can be found in the sample/nginx.conf

link: https://github.com/elasticsearch/kibana

damian
  • 103
  • 2
  • 5