How not to have sensitive data in Elastic search?

Question

I'm installing ELK stack for my company, my cousin uses it for his company too, he's a programmer so I asked him if he bought the Xpack, he says no since the mysql logs he processes aren't of value. I know that I can buy XPack or use Nginx to add authentication, but let's assume that I won't do any authentication, like many elastic users, I have a couple of questions about that scenario.

So I have filebeat that ships MySQL logs to logstash, which feeds them to Elastic search and analytics is done in Kibana.

• How to make sure that no information of value end up in the logs while still having meaningful analytics. My company develops an ERP, and has many companies as customers, so at the very least, you'll have the company ID and the user ID in the logs in order to have any meaningful data, isn't this considered sensitive data?
• How to make sure that no unauthorized user send a Post request to elastic search or access Kibana? Do you run them locally, not on the internet?
• Do you filter the logs of any sensitive before sending it to Filebeat?

I'm just trying to understand how many users manage to run ELK without authentication, while still being able to get meaningful data.

.

Answer 1

If you need to grant some access / privilege, you can use grafana instead of kibana for free.

For ES access, this is like any DB security. Configure your server to allow only some IPs on 9200 and 9300.

You can also look at: https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin to secure delete query (still free).

Answer 2

Please check out Search Guard (https://search-guard.com/). The basic version (which is sufficient for most use cases and definitely better than nothing) is free and open source (Apache 2 License).

Disclaimer: I work for Search Guard/floragunn GmbH

Answer 3

How to make sure that no information of value end up in the logs while still having meaningful analytics. My company develops an ERP, and has many companies as customers, so at the very least, you'll have the company ID and the user ID in the logs in order to have any meaningful data, isn't this considered sensitive data?

If you don't want sensitive data stored in your elasticsearch you need to filter it out or anonymize it, for example, you can use a logstash filter to create a fingerprint combining the company id and user id fields, or you can remove any field with sensitive data from your message.

How to make sure that no unauthorized user send a Post request to elastic search or access Kibana? Do you run them locally, not on the internet?

Without authentication this is almost impossible, you will need full control of who knows about your elasticsearch instance and who can access it, if someone besides you has access, they can send requests to your instance, to avoid that you can use a firewall on your servers and only allow access to specific IPs.

Even if you take some precautions, running a Elasticsearch instance in production without any kind of access control is not recommended and is very risky.

You should use an access control method, it could be X-Pack, NGINX or a plugin like Search Guard.