Sending data to Logstash is quick and simple to set up. If you have not already done so, please check out our Data Source Integration for shipping logs before learning how to properly use the API key.
Adding security measures to safe-guard Logstash is highly recommended. There are a number of ways to add an authentication step to your request pipeline so that only authorised sources may ship logs to Logstash.
1. Add an API Key to every message
Sending the API key with each message is the most common and preferred way of authorising requests. This API key can be anything you like (such as a GUID or a special string value of your choice). Then you can use a Logstash filter to check if this key is included. If it is not included, you can drop the message as part of the filtering process. This method gives you far greater control over both ends of the authentication process.
For example, you can use Filebeat to send a log message that includes the API key:
filebeat.prospectors:
type: log
enabled: true
paths:
/var/log/nginx/access.log
fields:
type: nginx-access
logstashApiKey: <your-api-key>
fields_under_root: true
encoding: utf-8
exclude_files: [".gz"]
And use a Logstash filter to drop all messages that do not match the expected API key value:
if [logstashApiKey] != "<your-api-key>"
{
drop {}
}
2. Firewall Configuration / IP White-listing
The Logit.io platform provides Logstash Firewall Groups that allow you to manage and restrict which IP addresses can send data to your Stacks and which ports those restrictions apply to. Setting Firewall Groups improves Stack security by blocking all unauthorised traffic to ports you've specified.
3. Mutual TLS
Currently, this is a support request feature that can be set up by contacting our support team, here.
What's next?
How to use your API Key in Logstash
Learn about managing OpenSearch security roles to give granular Stack access
Learn about managing workspaces using OpenSearch Multi-Tenancy
Learn how to manage teams and user permissions with Role-Based Access (RBAC)