How to add secrets to a Filebeat keystore

Keeping credentials in /filebeat.yml risks accidental exposure through backups, support bundles, or version control. A Filebeat keystore stores passwords and API keys outside the main configuration while keeping configuration files readable and shareable.

Keystore entries are saved under the Filebeat data path (path.data) and referenced by key name. On startup, Filebeat replaces ${KEY} placeholders in the configuration with the corresponding keystore value, allowing authenticated outputs such as Elasticsearch or Logstash without hardcoding secrets.

Keystore commands must target the same installation and data path used by the running service, otherwise the secret is written to a different keystore and remains unavailable at runtime. On Linux packages, path.data is typically /var/lib/filebeat, and keystore changes are applied only after a restart of the filebeat service. Protect the keystore file with restrictive permissions and avoid reusing the same key name for different secrets.

Steps to add secrets to a Filebeat keystore:

Add a secret value to the Filebeat keystore.
```
$ printf 'strong-password' | sudo filebeat keystore add ES_PWD --stdin
Successfully updated the keystore
```
If Filebeat uses a non-default data path, append -path.data /path/to/data so the entry is written to the correct keystore.
Confirm the keystore entry is present.
```
$ sudo filebeat keystore list
ES_PWD
```
filebeat keystore list shows key names only and never prints secret values.
Reference the secret in the output configuration.
```
output.elasticsearch:
  hosts: ["https://es.example.net:9200"]
  username: "filebeat_writer"
  password: "${ES_PWD}"
```
Quoted ${ES_PWD} placeholders avoid YAML parsing issues and must match the keystore key name exactly.
Test the Filebeat configuration for syntax errors.
```
$ sudo filebeat test config
Config OK
```
Related: How to test a Filebeat configuration
Restart the Filebeat service to load the updated keystore.
```
$ sudo systemctl restart filebeat
```
Restarting Filebeat pauses log shipping until the service returns to an active state.

Related: How to manage the Filebeat service with systemctl in Linux

Verify the output can connect using the new secret.

$ sudo filebeat test output -c /etc/filebeat/filebeat-es-keystore.yml
elasticsearch: https://localhost:9200...
  parse url... OK
  connection...
    parse host... OK
    dns lookup... OK
    addresses: 127.0.0.1, ::1
    dial up... OK
  TLS...
    security: server's certificate chain verification is enabled
    handshake... OK
    TLS version: TLSv1.3
    dial up... OK
  talk to server... OK
  version: 8.19.9

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.