Secure your Elasticsearch cluster and avoid ransomware

Last week,  news came out that unprotected MongoDB databases are being actively compromised: content copied and replaced by a message asking for a ransom to get it back. As The Register reports: Elasticsearch is next. Learn how syslog-ng can help you to protect your Elasticsearch.

This is the final blog post in a six-part series on storing logs in Elasticsearch using syslog-ng. You’ll find a link to the previous parts in the series at the end of this post. You can also read the whole Elasticsearch series in a single white paper.

How to protect Elasticsearch?

Protecting access to Elasticsearch by a firewall is not always possible. But even in environments where it is possible, many admins are not protecting their databases. Even if you cannot use a firewall, you can secure connection to Elasticsearch by using encryption. Elasticsearch by itself does not provide any authentication or encryption possibilities. Still, there are many third-party solutions available, each with its own drawbacks and advantages.


Available solutions

X-pack (formerly: Shield) is the solution developed by, the company behind Elasticsearch. It is a commercial product and offers many more possibilities than just securing your Elasticsearch cluster, including monitoring, reporting and alerting. When using Elasticsearch 2.X, connecting to Shield in transport mode requires dedicated support on the syslog-ng side. Support for Elasticsearch versions 2.X is available in syslog-ng in versions 3.7 – 3.14. Note, however, that Shield support was removed in syslog-ng version 3.15 (when components required to build it became unavailable).

SearchGuard is an Elasticsearch plugin developed by floragunn. All basic security features are open source and are available for free, enterprise features are available for a fee. Support is available in syslog-ng since version 3.9.1 when using the native Elasticsearch transport protocol. The SearchGuard component utilized by syslog-ng to connect to Elasticsearch 2.X does not require a commercial license.

Encrypted connections to Elasticsearch through HTTPS are supported by syslog-ng starting with version 3.10.

Note: From version 5 of Elasticsearch onward, HTTPS is the only way to connect securely, no matter if you use X-Pack or Search Guard on the server side.


As you can see, syslog-ng provides many different ways to connect securely to your Elasticsearch cluster. If you have not secured it yet and want to avoid paying a ransom, secure it now!

In my previous blogs in the Elasticsearch series, I covered:

Read the entire series about storing logs in Elasticsearch using syslog-ng in a single white paper.

Related Content