Secure Your Elastic Stack: Free TLS, RBAC, and Multi‑Tenant Kibana Setup

Introduction

Elastic announced that the core security features of Elastic Stack versions 6.8.0 and 7.1.0 are now provided for free. Users can encrypt network traffic, create and manage users, define role‑based access control for indices and clusters, and enable user authentication for Kibana.

Free Core Security Features

TLS – encrypts communication.

File and native realms – for creating and managing users.

Role‑based access control – controls user access to cluster APIs and indices.

Security for Kibana Spaces – enables multi‑tenant capabilities in Kibana.

ELK Software Versions

rpm -qa elasticsearch logstash kibana filebeat
kibana-6.8.4-1.x86_64
filebeat-6.8.4-1.x86_64
logstash-6.8.4-1.noarch
elasticsearch-6.8.4-1.noarch

Elasticsearch Master Node Configuration

Configure TLS and Authentication

/usr/share/elasticsearch/bin/elasticsearch-certutil ca
/usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
# Add group permissions
chgrp elastic /etc/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/elastic-stack-ca.p12
# Set file permissions 640
chmod 640 /etc/elasticsearch/elastic-certificates.p12 /etc/elasticsearch/elastic-stack-ca.p12

Elasticsearch configuration (xpack.security.*):

xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

Restart the service:

systemctl restart elasticsearch

Set Up Authentication Passwords

# Auto‑generate passwords
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords auto
# Interactive custom passwords
/usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive

Add passwords to the keystore:

/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password
/usr/share/elasticsearch/bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password

Verify node status:

curl -u elastic:YOUR_PASSWORD http://192.168.99.185:9200/_cat/nodes?v

Other Elasticsearch Nodes

Node communication requires matching certificates; authentication uses the elasticsearch‑keystore file.

# Copy certificates and keystore to another node
scp elastic-certificates.p12 elastic-stack-ca.p12 elasticsearch.keystore [email protected]:/etc/elasticsearch/

Sample elasticsearch.yml on a second node:

cluster.name: elk-cluster
node.name: elk-node2
path.data: /var/lib/elasticsearch
path.logs: /var/log/elasticsearch
network.host: 192.168.99.186
http.port: 9200
discovery.zen.ping.unicast.hosts: ["192.168.99.185", "192.168.99.186"]
discovery.zen.minimum_master_nodes: 1
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.monitoring.collection.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

systemctl restart elasticsearch

Check cluster status:

curl -u elastic:YOUR_PASSWORD http://192.168.99.185:9200/_cat/nodes?v

Kibana Configuration

server.port: 5601
server.host: "192.168.99.185"
server.name: "192.168.99.185"
elasticsearch.hosts: ["http://192.168.99.185:9200"]
kibana.index: ".kibana"
elasticsearch.username: "kibana"
elasticsearch.password: "cc29cgb2QcnheBQ9oOPX"
logging.quiet: true
i18n.locale: "zh-CN"
tilemap.url: 'http://webrd02.is.autonavi.com/appmaptile?lang=zh_cn&size=1&scale=1&style=7&x={x}&y={y}&z={z}'

Logstash Configuration

input {
  beats {
    port => 5044
  }
}
filter {
  if "huawei" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
    }
  } else if "h3c" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{YEAR:year} %{DATA:hostname} %{GREEDYDATA:info}"}
    }
  } else if "ruijie" in [tags] {
    grok{
      match => {"message" => "%{SYSLOGTIMESTAMP:time} %{DATA:hostname} %{GREEDYDATA:info}"}
    }
  }
  mutate {
    add_field => ["[zabbix_key]", "networklogs"]
    add_field => ["[zabbix_host]", "192.168.99.185"]
    add_field => ["count","%{hostname}%{info}"]
    remove_field => ["message","time","year","offset","tags","path","host","@version","[log]","[prospector]","[beat]","[input][type]","[source]"]
  }
}
output{
  stdout{codec => rubydebug}
  elasticsearch{
    index => "networklogs-%{+YYYY.MM.dd}"
    hosts => ["192.168.99.185:9200"]
    user => "elastic"
    password => "qZXo7EkxoxmKvDqQIwn5"
    sniffing => false
  }
  if [count] =~ /(ERR|error|ERROR|Failed|failed)/ {
    zabbix {
      zabbix_host => "[zabbix_host]"
      zabbix_key => "[zabbix_key]"
      zabbix_server_host => "192.168.99.200"
      zabbix_server_port => "10051"
      zabbix_value => "count"
    }
  }
}

Head Plugin Configuration

http.cors.enabled: true
http.cors.allow-origin: "*"
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type

Access URL:

http://192.168.99.185/elasticsearch-head//?auth_user=elastic&auth_password=YOUR_PASSWORD

Kibana Web Screenshots