Adding Serach Guard to an existing ELK stack

ES version 6.3.1, kibana 6.3.1, logstash 6.3.1

I have nginx proxy running and filebeats pumping in logs. I want to add Search Guard but the few times i have tried in my sandbox have broken the stack. Is there a good route to take to add SG to exiting stack? I would really really appreciate any help with this as I want to ball up and cry.

Thanks!

In my opinion the path of least resistance :wink: is the following:

First, install the Search Guard Elasticsearch plugin and use the demo installer to generate certificates and the configuration:

https://docs.search-guard.com/latest/demo-installer

Then, disable HTTPS for the moment. We will deal with it later, but eliminate sources of errors for now. In elasticsearch.yml, set:

searchguard.ssl.http.enabled: false

``

Now start Elasticsearch and check that you can access the cluster, e.g. using admin/admin.

Next, install the Kibana plugin:

https://docs.search-guard.com/latest/kibana-plugin-installation

and use the minimal configuration for Search Guard. We use HTTP in the elasticsearch.url here since we disabled it in elasticsearch.yml:

searchguard.basicauth.enabled: true

elasticsearch.url: “http://localhost:9200

Configure the Kibana internal server user

elasticsearch.username: “kibanaserver”

elasticsearch.password: “kibanaserver”

Disable SSL verification because we use self-signed demo certificates

elasticsearch.ssl.verificationMode: none

``

Start Kibana and check that the login is working properly.

Next, configure logstash and filebeats to use Basic Authentication. Since this is similar to X-Pack, you can refer to the ES documentation for the settings:

https://www.elastic.co/guide/en/logstash/current/ls-security.html

https://www.elastic.co/guide/en/beats/filebeat/6.2/beats-basic-auth.html

In order not to run into permission problems in the first place, use the admin user. This makes sure we can test the setup without struggling with roles for the moment.

With this minimal setup, everything should work again.

Proxy

The only remaining question is how you actually use the nginx proxy. Does it proxy all requests to Elasticsearch? Does it also sit in front of Kibana?

If you use it only to proxy ES requests, then you need to point Kibana, Logstash and Beats to the prody of course. And you need to make sure that the HTTP Basic Auth credentials are passed to upstream as well.

If you want to use HTTPS instead of HTTP (as you should do), then the question is where you want to terminate SSL. If you want to terminate it on the proxy then you will keep the HTTP setting in elasticsearch.yml:

searchguard.ssl.http.enabled: false

But that means that the traffic between proxy and ES is unencrypted. If you want to terminate SSL on ES/SG, then you need to enable SSL in elasticsearch.yml and use SSL pass through on nginx:

https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru

You also need to configure Kibana, Logstash and Beats to use TLS, again you can refer to the ES docs on how to do that.

Hope his helps!

···

On Sunday, July 29, 2018 at 4:53:33 AM UTC+2, Michael Clark wrote:

ES version 6.3.1, kibana 6.3.1, logstash 6.3.1

I have nginx proxy running and filebeats pumping in logs. I want to add Search Guard but the few times i have tried in my sandbox have broken the stack. Is there a good route to take to add SG to exiting stack? I would really really appreciate any help with this as I want to ball up and cry.

Thanks!