Getting started with the ELK Stack monitoring solution


The last step is to introduce some security to the stack. Until now, if you enabled access to the stack from all networks, it would mean that anyone could mess with the data. The ELK base configuration does not include any kind of access restrictions, but you can add security through plugins. Two options are the paid Elastic X-Pack Security plugin [4] and the OpenDistro [5] security plugin.

It is worth noting that another option would be to use a proxy service like Apache or Nginx to enforce authorization, but for consistency, I'll stick with a dedicated solution.

The basic scenario is, a user presents credentials that are verified against access backends. When the user's identity is confirmed, the security plugin assigns privileges and roles for the user (Figure 5).

Figure 5: Authentication and access with the OpenDistro security plugin.

When the OpenDistro plugin is enabled, Kibana presents a login panel (Figure 6).

Figure 6: Kibana login panel with OpenDistro.

The configuration for the OpenDistro plugin is stored in a few YAML files in /usr/share/elasticsearch/plugins/opendistro_security/securityconfig/.

As you can see in Listing 16, the YAML file for the security plugin is organized by user account. The hash is an encrypted password generated with the script, which is located in the tools subdirectory of the plugin directory. The opendistro_security_roles entry lets you specify any of the predefined roles. Most of the roles are self explanatory, but a word is needed for the logstash role, since it also includes permissions to write Beats indices. If you want to create your own roles, you have to modify the action_groups.yml, roles.yml, and roles_mapping.yml file, which are located in the plugin's securityconfig subdirectory. The config file can also refer to roles assigned in an authentication system such as LDAP or ActiveDirectory.

Listing 16


01 # All passwords are:
02 # qwerty
03 _meta:
04   type: "internalusers"
05   config_version: 2
07 admin:
08   hash: "$2y$12$N5/i8SBuGv9c8vI5fYNWFe2otKwYPbAfBpNObFjCDpRJQp0k55bfC"
09   reserved: true
10   hidden: true
11   opendistro_security_roles:
12   - all_access
13   description: "Demo admin user"
15 kibanaserver:
16   hash: "$2y$12$N5/i8SBuGv9c8vI5fYNWFe2otKwYPbAfBpNObFjCDpRJQp0k55bfC"
17   reserved: true
18   hidden: false
19   opendistro_security_roles:
20   - kibana_server
21   description: "Demo kibanaserver user"
23 kibana:
24   hash: "$2y$12$N5/i8SBuGv9c8vI5fYNWFe2otKwYPbAfBpNObFjCDpRJQp0k55bfC"
25   reserved: false
26   opendistro_security_roles:
27   - kibana_user
28   - readall_and_monitor
29   description: "Demo kibana user"
31 logstash:
32   hash: "$2y$12$N5/i8SBuGv9c8vI5fYNWFe2otKwYPbAfBpNObFjCDpRJQp0k55bfC"
33   reserved: true
34   hidden: false
35   opendistro_security_roles:
36   - logstash
37   description: "Demo Logstash & Beats user"

You can mark a user, role, role mapping, or action group as reserved. Resources that have the reserved flag set to true can't be changed using the REST API or Kibana. Reserved resources are not returned by the REST API and are not visible in Kibana.

In order to further harden your ELK stack, you can generate certificates to use with SSL and enable them in Elasticsearch, then add user credentials to the Kibana server as well as all beats. In the long run, however, it is a good idea to plug your stack into a company authentication service, such as Okta or LDAP.


ELK is an amazing solution that allows users to swiftly explore the status of the infrastructure. Although it was originally designed to handle logging, with later iterations and plugins, it has become a fully functional MAL tool (Monitoring-Alerting-Logging). This paper has touched on a few of the many potential options. Other notable features include fully configurable alerting, machine learning, anomaly detectors, and a performance analyzer.

The Author

Tomasz Szandala is a PhD student at Wroclaw University of Science and Technology and a Site Reliability Engineer at Vonage in Wroclaw, Poland. When he isn't studying or working his day job, he spends his time learning and improving Ansible, Jenkins, and other open source tools. Because a man cannot live by learning alone, he sometimes enjoys games like World of Warcraft and Civilization.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • ELK Stack

    A powerful search engine, a tool for processing and normalizing protocols, and another for visualizing the results – Elasticsearch, Logstash, and Kibana form the ELK stack, which helps admins manage logfiles on high-volume systems.

  • Logstash

    When something goes wrong on a system, the logfile is the first place to look for troubleshooting clues. Logstash, a log server with built-in analysis tools, consolidates logs from many servers and even makes the data searchable.

  • FAQ

    Big data is like The Matrix – Better without the sequel

  • Perl – Elasticsearch

    Websites often offer readers links to articles about similar topics. Using Elasticsearch, the free search engine, is one way to find related documents instantly and automatically.

  • Tutorials – Collectd

    The collectd tool harvests your system stats and stores them for plotting into colorful graphs.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More