How to add secrets to a Logstash keystore

Storing credentials directly inside Logstash pipeline files makes accidental exposure likely through version control, backups, and support bundles. A Logstash keystore keeps secret values encrypted on disk and referenced by name, so pipelines stay readable without carrying the actual password.

The keystore is loaded from the directory configured as path.settings (commonly /etc/logstash on RPM/DEB installs), and keys are referenced using the same ${KEY} syntax used for environment variable expansion. During startup parsing, Logstash resolves keystore keys before resolving environment variables, so a keystore entry can override a same-named environment variable.

The keystore file must remain accessible to the service account (typically logstash) while staying locked down from other users, or the logstash service can fail to start. Password-protected keystores require LOGSTASH_KEYSTORE_PASS in the environment for both keystore commands and the running service, and keystore key names are restricted to letters, numbers, underscores, and dots (not starting with a number). Keystore references work in pipeline configuration and logstash.yml, but not in pipelines.yml or inline configs passed with logstash -e.

1. Add the secret value to the keystore under the es_pwd key.

   $ printf 'y\nStrongPass!\n' | sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash add es_pwd --stdin
   Using bundled JDK: /usr/share/logstash/jdk
   Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
   
   es_pwd already exists. Overwrite ? [y/N] Enter value for es_pwd: Added 'es_pwd' to the Logstash keystore.

   Always pass path.settings so the keystore is stored in /etc/logstash instead of the current directory.

2. List keystore keys to confirm the new entry is present.

   $ sudo -E /usr/share/logstash/bin/logstash-keystore --path.settings /etc/logstash list
   Using bundled JDK: /usr/share/logstash/jdk
   Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
   
   es_pwd

3. Set ownership of the keystore file to logstash:root.

   $ sudo chown logstash:root /etc/logstash/logstash.keystore

   A keystore owned by root or readable by other users can prevent Logstash from starting or leak secrets.

4. Restrict the keystore file permissions to 0600.

   $ sudo chmod 0600 /etc/logstash/logstash.keystore

5. Replace the plain-text password with ${ES_PWD} in the pipeline configuration.

   output {
     elasticsearch {
       hosts => ["https://es.example.net:9200"]
       user => "logstash_writer"
       password => "${es_pwd}"
     }
   }

   Key names are case-sensitive and must match the keystore entry exactly.

6. Test the pipeline configuration for syntax errors.

   $ sudo -u logstash /usr/share/logstash/bin/logstash --path.settings /etc/logstash --path.data /tmp/logstash-configtest --config.test_and_exit
   Using bundled JDK: /usr/share/logstash/jdk
   Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
   Configuration OK
   Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

   Related: How to test a Logstash pipeline configuration

7. Restart the Logstash service to load the updated keystore.

   $ sudo systemctl restart logstash

   Related: How to manage the Logstash service with systemctl in Linux

8. Check the Logstash service status for an active (running) state.

   $ sudo systemctl status logstash --no-pager
   ● logstash.service - logstash
        Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
        Active: active (running) since Wed 2026-01-07 22:23:13 UTC; 5s ago
   ##### snipped #####