Elasticsearch Securing Elasticsearch: A Comprehensive Guide to Setting Up Passwords

By Opster Team

Updated: Nov 2, 2023

| 2 min read

Quick Links

• Overview
• Enabling Elasticsearch Security Features
• Setting Up Built-In User Passwords
• Updating Kibana and Logstash Passwords
• Creating and Managing Custom Users
• Conclusion

Overview

Elasticsearch is widely used for log and event data analysis. However, securing Elasticsearch is a critical aspect that cannot be overlooked. This article will guide you through the process of setting up passwords in Elasticsearch, ensuring that your data remains secure and accessible only to authorized users.

Enabling Elasticsearch Security Features

Before setting up passwords, it’s crucial to enable Elasticsearch’s security features. By default, these features are enabled in the basic license since 8.0. In earlier versions, security features were disabled by default and to enable them, you need to set `xpack.security.enabled` to `true` in the `elasticsearch.yml` configuration file.

yml
xpack.security.enabled: true

After making this change, restart your Elasticsearch node.

Setting Up Built-In User Passwords

Elasticsearch comes with built-in users for various system operations. These users include `elastic`, `apm_system`, `kibana_system`, `logstash_system`, `beats_system`, and `remote_monitoring_user`. To set up passwords for these users, you can use the `elasticsearch-reset-passwords` command-line tool.

This tool can operate in two modes: `interactive` and `auto`. In `interactive` mode, you’re prompted to enter passwords for each built-in user. In `auto` mode, the tool generates random passwords for all built-in users.

To run the tool in `interactive` mode, use the following command:

bin/elasticsearch-reset-password --interactive

To run the tool in `auto` mode, use the following command:

bin/elasticsearch-reset-password --auto

Remember to note down the generated passwords, especially the one for the `elastic` user, as you’ll need them to authenticate to Elasticsearch.

Updating Kibana and Logstash Passwords

After setting up the built-in user passwords, you need to update the Elasticsearch output configuration in Kibana and Logstash to use the new `kibana_system` and `logstash_system` passwords, respectively.

In Kibana, update the `elasticsearch.username` and `elasticsearch.password` settings in the `kibana.yml` configuration file:

elasticsearch.username: "kibana_system"
elasticsearch.password: "your_kibana_system_password"

In Logstash, update the `username` and `password` options in the Elasticsearch output configuration:

output {
  elasticsearch {
    hosts => ["http://localhost:9200"]
    username => "logstash_system"
    password => "your_logstash_system_password"
  }
}

After making these changes, restart your Kibana and Logstash instances.

Creating and Managing Custom Users

In addition to the built-in users, you can create custom users with specific roles and privileges. To do this, use the Kibana Management UI or the Elasticsearch user API.

For example, to create a user named `my_user` with the `kibana_admin` role using the user API, you can use the following command:

curl -X POST "localhost:9200/_security/user/my_user" -H 'Content-Type: application/json' -u 'elastic:<password>' -d'
{
  "password" : "my_password",
  "roles" : [ "kibana_admin" ],
  "full_name" : "My User"
}'

To manage users and roles, you can use the Kibana Management UI or the Elasticsearch user and role APIs.

Conclusion

By following these steps, you can effectively secure your Elasticsearch cluster by setting up passwords for built-in and custom users. Remember to regularly update your passwords and monitor your Elasticsearch security logs to ensure the ongoing security of your data.