User Guide

Advanced Topics

Elasticsearch security helper tool

The secure communication provided by the X-Pack Security requires additional parameters such as authentication certificates to interact with the Elastic Stack APIs. We have developed a few helper tools, based on curl, to simplify your interaction with the APIs.

The Elasticsearch helper script lets you omit all the authentication parameters for the admin user, which would otherwise be required.

Location: /usr/share/neteye/elasticsearch/scripts/es_curl.sh

The NetEye helper script can be used instead if you only need read permission for the fields @timestamp and host on the Logstash index entries. This script is used by NetEye for self-monitoring activities.

Location: /usr/share/neteye/elasticsearch/scripts/es_neteye_curl.sh

Kibana Keystore Usage

The Kibana Keystore feature comes with a keybana-keystore tool, which permits to manage the settings in the keystore.

If your installation is a NetEye Cluster, you are advised to use kibana-keystore tool only from the cluster nodes where the Kibana resource is active.

Using the keybana-keystore tool from nodes where Kibana is not running will have no effect on the Kibana Keystore configuration.

El Proxy Security

The El Proxy module is automatically configured upon installation to use certificates for improved security and to comply with standard NetEye policies. This section describes some details of the configuration and can be used to modify the setup if required.

TLS configuration

The El Proxy server can start in HTTP or HTTPS mode; this is configured in the config web_server.tls section.

The available modes are:

  • None: The El Proxy server starts with TLS disabled. Example:

    [web_server.tls]
    type = "None"
    
  • PemCertificatePath: The El Proxy server starts with TLS enabled using the PEM certificates read from the local file system. When this method is used, the following information must be provided:

    • certificate_path: path to the server public certificate

    • private_key_path: path to the server private key

    Example:

    [web_server.tls]
    type = "PemCertificatePath"
    certificate_path = "/path/to/certs/ebp_server.crt.pem"
    private_key_path = "/path/to/certs/private/ebp_server.key.pem"
    

Authentication to Elasticsearch

When the Elasticsearch client is created, the authentication method to be used to connect to Elasticsearch needs to be specified. The authentication method defined in the configuration file is only used for the serve command.

The available authentication methods are:

  • None: the client connects to Elasticsearch without authentication. Example:

    [elasticsearch.auth]
    type = "None"
    
  • BasicAuth: the client authenticates to Elasticsearch with username and password. When this method is used, the following information must be provided:

    • username: name of the Elasticsearch user

    • password: the password for the Elasticsearch user

    [elasticsearch.auth]
    type = "BasicAuth",
    username = "myuser",
    password = "mypassword"
    
  • PemCertificatePath: the client connects to Elasticsearch using the PEM certificates read from the local file system. When this method is used, the following information must be provided:

    • certificate_path: path to the public certificate accepted by Elasticsearch

    • private_key_path: path to the corresponding private key

    Example:

    [elasticsearch.auth]
    type = "PemCertificatePath",
    certificate_path = "/path/to/certs/ebp.crt.pem",
    private_key_path = "/path/to/certs/private/ebp.key.pem",