Skip to content

Creating an API Key for Filebeat

If you have configured the TLS encryption, the creation of API keys is activated automatically. Otherwise you have to activate it manually.

Caution - unencrypted transmission

Without TLS API keys are transmitted in an unencrypted way!

Activating the API Key Creation

  1. In an editor, open the elasticsearch.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\seal-elasticsearch\elasticsearch.yml"

  2. Set the following value:

    xpack.security.authc.api_key.enabled: true

  3. Save the file and exit.

Removing User and Password

You cannot use an API Key in parallel to user and password. You have to use one or the other.

  1. In an editor, open the filebeat.yml configuration file:

    "C:\ProgramData\SEAL Systems\config\filebeat.yml"

  2. Deactivate user and password:

    • Either remove the user and password item,

    • Or comment the user and password item from the file.

  3. Save the file and exit.

Creating an API Key via DevTools Console in Kibana

For details on creating API keys, see https://www.elastic.co/guide/en/beats/filebeat/current/beats-api-keys.html.

Example from the original Elasticsearch documentation

POST /_security/api_key
{
  "name": "filebeat_host001", 
  "role_descriptors": {
    "filebeat_writer": { 
      "cluster": ["monitor", "read_ilm", "read_pipeline"],
      "index": [
        {
          "names": ["filebeat-*"],
          "privileges": ["view_index_metadata", "create_doc"]
        }
      ]
    }
  }
}

Example from the SEAL Systems configuration

If you leave out the expiration item, the API key never expires.

The biggest possible unit here seems to be d for days.

POST /_security/api_key
{
  "name": "filebeat_centos8",
  "expiration": "1d",  
  "role_descriptors": {
    "filebeat_writer" : {
      "cluster" : [ "read_ilm", "read_pipeline", "monitor"  ],
      "indices" : [
        {
          "names" : [ "seal-*" ],
          "privileges" : [ "create_index", "create_doc"  ]
        }
      ]
    }
  }
}

Example of the response in the DevTools Console

{
  "id": "GOt06I8BYTNE_L0R4TPB",
  "name": "filebeat_centos8",
  "expiration": 1717678325186,
  "api_key": "RoTCF-LNQA2nOXT7daytfw",
  "encoded": "R090MDZJOEJZVE5FX0wwUjRUUEI6Um9UQ0YtTE5RQTJuT1hUN2RheXRmdw=="
}

Deleting Items from the API Key

Specification in the Filebeat Configuration File

In the filebeat.yml configuration file, you have to use the "id:api_key" combination as value for the "api_key" item.

Example of the api_key configuration in the filebeat.yml

Corresponding to the example above, the api_key looks as follows:

output.elasticsearch:
  hosts: ["https://myEShost:9200"]
  api_key: "GOt06I8BYTNE_L0R4TPB:RoTCF-LNQA2nOXT7daytfw"

For details on this, see https://www.elastic.co/guide/en/beats/filebeat/current/securing-communication-elasticsearch.html

Using API Keys in a cURL command

The API key has to be Base64 encoded. You can either

Example of a cURL command

curl http://localhost:9200 -H "Authorization: ApiKey R090MDZJOEJZVE5FX0wwUjRUUEI6Um9UQ0YtTE5RQTJuT1hUN2RheXRmdw=="

For a Windows PowerShell and the Invoke-WebRequest command, you have to set and enhance the Headers array accordingly.

Testing the Filebeat Configuration

You can test you Filebeat configuration concerning syntax and connection establishment.

Testing the Syntax

Test the syntax of your Filebeat configuration with the following command:

& "$env:ProgramFiles\SEAL Systems\seal-filebeat\filebeat" -c "$env:ProgramData\SEAL Systems\config\filebeat.yml" test config

Testing the Connection

Test the establishment of a connection between Filebeat and Elasticsearch using host, user and password or API key:

& "$env:ProgramFiles\SEAL Systems\seal-filebeat\filebeat" -c "$env:ProgramData\SEAL Systems\config\filebeat.yml" test output
Back to top