Creating an API Key for Filebeat¶
If you have configured the TLS encryption, the creation of API keys is activated automatically. Otherwise you have to activate it manually.
Caution - unencrypted transmission
Without TLS API keys are transmitted in an unencrypted way!
Activating the API Key Creation¶
-
In an editor, open the
elasticsearch.ymlconfiguration file:/opt/seal/etc/elasticsearch.yml -
Set the following value:
xpack.security.authc.api_key.enabled: true -
Save the file and exit.
Removing User and Password¶
You cannot use an API Key in parallel to user and password. You have to use one or the other.
-
In an editor, open the
filebeat.ymlconfiguration file:/opt/seal/etc/filebeat.yml -
Deactivate
userandpassword:-
Either remove the
userandpassworditem, -
Or comment the
userandpassworditem from the file.
-
-
Save the file and exit.
Creating an API Key via DevTools Console in Kibana¶
Literature
For details on creating API keys, see https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.html.
Example from the original Elasticsearch documentation
POST /_security/api_key
{
"name": "filebeat_host001",
"role_descriptors": {
"filebeat_writer": {
"cluster": ["monitor", "read_ilm", "read_pipeline"],
"index": [
{
"names": ["filebeat-*"],
"privileges": ["view_index_metadata", "create_doc"]
}
]
}
}
}
Example from the SEAL Systems configuration
If you leave out the expiration item, the API key never expires.
The biggest possible unit here seems to be d for days.
POST /_security/api_key
{
"name": "filebeat_centos8",
"expiration": "1d",
"role_descriptors": {
"filebeat_writer" : {
"cluster" : [ "read_ilm", "read_pipeline", "monitor" ],
"indices" : [
{
"names" : [ "seal-*" ],
"privileges" : [ "create_index", "create_doc" ]
}
]
}
}
}
Example of the response in the DevTools Console
{
"id": "GOt06I8BYTNE_L0R4TPB",
"name": "filebeat_centos8",
"expiration": 1717678325186,
"api_key": "RoTCF-LNQA2nOXT7daytfw",
"encoded": "R090MDZJOEJZVE5FX0wwUjRUUEI6Um9UQ0YtTE5RQTJuT1hUN2RheXRmdw=="
}
Deleting Items from the API Key¶
-
You can delete items like the ones in the example above with one of the following commands:
DELETE /_security/api_key { "ids" : [ "GOt06I8BYTNE_L0R4TPB" ] }DELETE /_security/api_key { "name" : "filebeat_centos8" }Literature
For details on this, see https://www.elastic.co/guide/en/elasticsearch/reference/8.15/security-api-invalidate-api-key.html.
-
You can also manage and delete API keys in Kibana under the following URL:
http://localhost:5601/app/management/security/api_keys
Specification in the Filebeat Configuration File¶
In the filebeat.yml configuration file, you have to use the "id:api_key" combination as value for the "api_key" item.
Example of the api_key configuration in the filebeat.yml
Corresponding to the example above, the api_key looks as follows:
output.elasticsearch:
hosts: ["https://myEShost:9200"]
api_key: "GOt06I8BYTNE_L0R4TPB:RoTCF-LNQA2nOXT7daytfw"
Literature
For details on this, see https://www.elastic.co/guide/en/beats/filebeat/current/securing-communication-elasticsearch.html
Using API Keys in a cURL command¶
The API key has to be Base64 encoded. You can either
-
convert the key via a website like https://www.base64encode.org/ or
-
use the entry from the above response.
Example of a cURL command
curl http://localhost:9200 -H "Authorization: ApiKey R090MDZJOEJZVE5FX0wwUjRUUEI6Um9UQ0YtTE5RQTJuT1hUN2RheXRmdw=="
Testing the Filebeat Configuration¶
You can test you Filebeat configuration concerning syntax and connection establishment.
Testing the Syntax¶
Test the syntax of your Filebeat configuration with the following command:
sudo -u seal /opt/seal/seal-filebeat/filebeat -c /opt/seal/etc/filebeat.yml test config
Testing the Connection¶
Test the establishment of a connection between Filebeat and Elasticsearch using host, user and password or API key:
sudo -u seal /opt/seal/seal-filebeat/filebeat -c /opt/seal/etc/filebeat.yml test output