How to add a secret to a Logstash keystore

Keeping Elasticsearch passwords, API tokens, and similar secrets out of Logstash pipeline files reduces the chance of leaking them through copied configs, repository commits, backups, or troubleshooting bundles. A Logstash keystore stores the sensitive value separately so the pipeline keeps only a placeholder instead of the plain-text secret.

The keystore lives in the directory defined by path.settings, which is typically /etc/logstash on DEB and RPM installs. Each entry uses an arbitrary key name such as ES_PWD, and Logstash resolves ${KEY} references from the keystore before falling back to environment variables when it parses logstash.yml or pipeline configuration files.

Add entries against the same path.settings directory used by the running service, or the service reads a different keystore file. If the keystore is password-protected, LOGSTASH_KEYSTORE_PASS must be available to both the logstash-keystore command and the running logstash service. Current Elastic docs also still note that keystore references do not work in pipelines.yml or inline configs passed with logstash -e.

Related: How to create a Logstash keystore
Related: How to configure Logstash pipelines

Steps to add a secret to a Logstash keystore:

  1. Add the secret to the keystore with a key name that matches the placeholder to be used in the configuration. 
    $ printf '%s' 'replace-with-elasticsearch-password' | sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add ES_PWD --stdin
Enter value for ES_PWD: Added 'ES_PWD' to the Logstash keystore.

    Keep --path.settings /etc/logstash aligned with the running service so the command updates the same keystore that Logstash reads at startup.

    Use sudo -E when the keystore is password-protected and LOGSTASH_KEYSTORE_PASS is already exported in the current shell. The --stdin flag reads the value from standard input instead of waiting for interactive typing.

  2. List the stored keys to confirm the new entry exists. 
    $ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash list
ES_PWD

    logstash-keystore list prints key names only and does not reveal the secret value.

  3. Verify that the keystore file is still owned by the logstash service account and readable only by that user. 
    $ sudo ls -l /etc/logstash/logstash.keystore
-rw------- 1 logstash root 865 Apr  8 07:42 /etc/logstash/logstash.keystore

    If the owner or mode is different, correct it with sudo chown logstash:root /etc/logstash/logstash.keystore && sudo chmod 0600 /etc/logstash/logstash.keystore before restarting the service.

  4. Replace the plain-text secret in the pipeline configuration with the keystore placeholder. 
    output {
  elasticsearch {
    hosts => ["https://es.example.net:9200"]
    user => "logstash_writer"
    password => "${ES_PWD}"
  }
}

    The placeholder must match the keystore key exactly, including case.

    Keystore substitution works in pipeline configuration and logstash.yml, but current Elastic docs still say it is not supported from pipelines.yml or the logstash -e command-line config string.

    Related: How to configure Logstash pipelines

  5. Test the pipeline configuration before restarting Logstash. 
    $ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
Using bundled JDK: /usr/share/logstash/jdk
[2026-04-07T08:03:33,559][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"9.2.3", "jruby.version"=>"jruby 9.4.13.0 (3.1.4) 2025-06-10 9938a3461f OpenJDK 64-Bit Server VM 21.0.9+10-LTS on 21.0.9+10-LTS +indy +jit"}
Configuration OK
[2026-04-07T08:03:34,546][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

    Current releases default allow_superuser to false, so run the test as the logstash user instead of root unless that setting has been changed.

    Related: How to test a Logstash pipeline configuration

  6. Restart the Logstash service so it reloads the updated keystore. 
    $ sudo systemctl restart logstash

    Keystore changes are read at startup, so the running service keeps using the previous value until the next clean start.

    Related: How to manage the Logstash service with systemctl in Linux

  7. Check the service state and recent startup result. 
    $ sudo systemctl status logstash --no-pager --full | head -n 12
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Tue 2026-04-07 08:05:40 UTC; 9s ago
   Main PID: 58211 (java)
      Tasks: 101 (limit: 28486)
     Memory: 1.1G (peak: 1.1G)
        CPU: 34.102s
     CGroup: /system.slice/logstash.service
             └─58211 /usr/share/logstash/jdk/bin/java ##### snipped #####

    If the service does not return to active (running), inspect the recent journal for keystore-path, permission, or invalid-setting errors with sudo journalctl -u logstash -n 50 --no-pager.

    Related: How to manage the Logstash service with systemctl in Linux