I'm considering running logstash on my prod server (simple install. http://logstash.net/docs/1.1.13/tutorials/getting-started-simple) and set kibana to access logs.
My concern is: how to secure my prod logs (especially elasticsearch which is run by logstash), and restrain access with secure zone or to some ips ?
Thanks for your help on that
If you use later versions of Logstash with Kibana:
I deploy Kibana into a virtual host in an Apache at /kibana/ and route the Elasticsearch API through a reverse proxy such that is available at /elasticsearch/:
<Location /elasticsearch/>
ProxyPass http://elasticsearchhost:9200/
ProxyPassReverse /
</Location>
You need to adapt Kibanas config.js to
elasticsearch: "/elasticsearch/",
Then the virtual host can be secured via HTTP Basic Authentication, which applies automatically to both Kibana and the Elasticsearch API.
What still worries me is that the users of Kibana could also use the Elasticsearch API to do nasty things like dropping indizes, shutting down Elasticsearch servers and so forth - for instance with the elasticsearch head. But I don't have a good solution to that problem so far. Probably one could generally allow GETs to /elasticsearch/ since in REST GETs cannot change anything, but other HTTP methods to only specific URLs which are important for Kibana.
In my environment, I bind elasticsearch to an openvpn interface.
In /etc/elasticsearch/elasticsearch.yml:
network.host: 172.16.xxx.xxx
Where 172.16.xxx.xxx is the IP address assigned to the server by openvpn.
with an nginx like it saids here:
How do I secure this? I don't want to leave 9200 open. A: A simple nginx virtual host and proxy configuration can be found in the sample/nginx.conf
