如何配置Filebeat的認證機制

Configuring Authentication Mechanisms for Filebeat

Filebeat supports multiple authentication mechanisms to securely send data to Elasticsearch, including basic authentication, API key authentication, and client certificate authentication. Below is a step-by-step guide to configuring these mechanisms, along with essential security considerations.

1. Basic Authentication (Username/Password)

Basic authentication is the most common method, requiring a username and password to authenticate with Elasticsearch.

Configuration Steps:
Open the Filebeat configuration file (filebeat.yml) and add the username and password parameters under the output.elasticsearch section. For example:

output.elasticsearch:
  hosts: ["https://your-elasticsearch-host:9200"]
  username: "your_username"  # Replace with your Elasticsearch username
  password: "your_password"  # Replace with your Elasticsearch password

Notes:
- Ensure the username/password has the necessary permissions (e.g., the filebeat_system role) to send data to Elasticsearch.
- Avoid hardcoding sensitive credentials in the configuration file (use environment variables or secret managers instead—see Security Considerations below).

2. API Key Authentication

API keys provide a more secure alternative to basic authentication, as they are token-based and can be easily rotated.

Configuration Steps:
Generate an API key in Elasticsearch (via Kibana or the Elasticsearch API), then reference it in the filebeat.yml file:

output.elasticsearch:
  hosts: ["https://your-elasticsearch-host:9200"]
  api_key: "your_api_key_id:your_api_key_secret"  # Replace with your actual API key

Notes:
- API keys are tied to the user who created them, so ensure the user has the required permissions.
- API keys are stored unencrypted in the configuration file—use environment variables for added security.

3. Client Certificate Authentication (Mutual TLS)

For high-security environments, client certificate authentication (mutual TLS) ensures both the Filebeat client and Elasticsearch server authenticate each other.

Configuration Steps:
Configure the output.elasticsearch section with SSL/TLS settings, including client certificate and key paths:

output.elasticsearch:
  hosts: ["https://your-elasticsearch-host:9200"]
  ssl.certificate_authorities: ["/path/to/ca.crt"]  # Path to CA certificate
  ssl.certificate: "/path/to/client.crt"           # Path to client certificate
  ssl.key: "/path/to/client.key"                   # Path to client private key

Notes:
- The client certificate must be signed by a CA trusted by Elasticsearch (configured in elasticsearch.yml).
- Ensure the Filebeat process has read permissions for the certificate and key files.

4. SSL/TLS Configuration (Mandatory for Secure Communication)

Regardless of the authentication method, SSL/TLS encryption is critical to protect data in transit.

Key Settings:
- Enable SSL: Set ssl.enabled: true (default in modern Filebeat/Elasticsearch versions).
- CA Certificates: Specify the path to the CA certificate(s) that signed the Elasticsearch server certificate using ssl.certificate_authorities.
- Verification Mode: Control certificate validation with ssl.verification_mode:
  - full (default): Validates the server certificate and hostname.
  - certificate: Validates only the server certificate (ignores hostname).
  - none (not recommended): Disables certificate validation (insecure for production).
    Example configuration:
```
output.elasticsearch:
  hosts: ["https://your-elasticsearch-host:9200"]
  ssl.enabled: true
  ssl.certificate_authorities: ["/etc/pki/tls/certs/ca-bundle.crt"]
  ssl.verification_mode: full  # Recommended for production
```
Notes:
- For self-signed certificates, add the CA certificate to the ssl.certificate_authorities list instead of disabling verification.

5. Security Considerations

Avoid Hardcoding Credentials: Use environment variables or secret management tools (e.g., HashiCorp Vault) to store sensitive information. For example:
```
output.elasticsearch:
  username: ${ELASTICSEARCH_USERNAME}  # Reference environment variable
  password: ${ELASTICSEARCH_PASSWORD}
```
Use Strong Certificates: Generate certificates with a minimum 2048-bit RSA key and use SHA-256 for signing.
Restrict Access: Limit network access to Elasticsearch (e.g., via firewalls or security groups) to only trusted IPs.
Regularly Rotate Credentials: Periodically update usernames, passwords, and API keys to minimize the impact of credential compromise.

6. Verification

After configuring authentication, verify the connection by checking Filebeat logs:

sudo tail -f /var/log/filebeat/filebeat.log

Look for messages indicating successful connections to Elasticsearch (e.g., "Successfully connected to Elasticsearch"). If errors occur, troubleshoot based on log entries (e.g., certificate validation failures, authentication errors).

By following these steps, you can securely configure Filebeat to authenticate with Elasticsearch using your preferred method while ensuring data encryption in transit.