How to create a Filebeat keystore
Keeping Elasticsearch, Logstash, proxy, or API credentials out of plain-text Filebeat configuration reduces the chance of secrets leaking through backups, copied configs, version control, or troubleshooting bundles. A local keystore is the supported way to prepare a host for authenticated outputs without hardcoding passwords in /etc/filebeat/filebeat.yml.
The filebeat keystore subcommands create an encrypted store under the active path.data directory and save arbitrary key names such as ES_PWD. When Filebeat loads its configuration, it resolves ${KEY} placeholders from the keystore before normal environment variables, so the same config file can stay readable while the secret value remains outside the YAML.
The keystore must be created with the same user and the same data path as the running Filebeat instance. On current deb/rpm installs, the packaged systemd unit starts Filebeat with --path.data /var/lib/filebeat, so the keystore normally ends up at /var/lib/filebeat/filebeat.keystore. If Filebeat runs from an archive or a custom service, use the matching --path.data value there instead. Recreating a keystore with --force removes all existing entries, and secret changes take effect only after Filebeat starts or restarts with that keystore.
Steps to create a Filebeat keystore:
- Create the Filebeat keystore with the same execution context used by the service.
$ sudo filebeat keystore create Created filebeat keystore
On package installs, sudo matches the packaged systemd service context. For archive installs or custom launchers, run the command as the same user and with the same --path.data value that starts Filebeat.
Use --force only when replacing the keystore intentionally, because it deletes the existing stored keys.
- Verify where the keystore file was created and that it has restrictive permissions.
$ sudo ls -l /var/lib/filebeat/filebeat.keystore -rw------- 1 root root 186 Apr 2 11:55 /var/lib/filebeat/filebeat.keystore
Deb/rpm installs store the keystore under /var/lib/filebeat because that is the default path.data set by the packaged service unit.
- Add the first secret entry to confirm the keystore is writable.
$ printf 'strong-password' | sudo filebeat keystore add ES_PWD --stdin Successfully updated the keystore
Use --stdin for automation or secret managers, and add --force only when an existing key value should be replaced.
- List the stored key names to confirm the new entry is present.
$ sudo filebeat keystore list ES_PWD
filebeat keystore list prints key names only and never reveals the secret values.
- Reference the secret in the output configuration.
output.elasticsearch: hosts: ["https://es.example.net:9200"] username: "filebeat_writer" password: "${ES_PWD}"The placeholder name must match the keystore key exactly, including case.
- Test the Filebeat configuration before restarting the service.
$ sudo filebeat test config -c /etc/filebeat/filebeat.yml Config OK
Related: How to test a Filebeat configuration
- Restart the Filebeat service so it loads the keystore during startup.
$ sudo systemctl restart filebeat
- Confirm that the Filebeat service returned to an active state.
$ sudo systemctl is-active filebeat active