You can specify Kerberos options with any output or input that supports Kerberos, like Elasticsearch and Kafka.

The following encryption types are supported:

Example output config with Kerberos password based authentication:

output.elasticsearch.hosts: ["http://my-elasticsearch.elastic.co:9200"]
output.elasticsearch.kerberos.auth_type: password
output.elasticsearch.kerberos.username: "elastic"
output.elasticsearch.kerberos.password: "changeme"
output.elasticsearch.kerberos.config_path: "/etc/krb5.conf"
output.elasticsearch.kerberos.realm: "ELASTIC.CO"

The service principal name for the Elasticsearch instance is contructed from these options. Based on this configuration it is going to be HTTP/[email protected].

Configuration optionsedit

You can specify the following options in the kerberos section of the apm-server.yml config file:

enablededit

The enabled setting can be used to enable the kerberos configuration by setting it to false. The default value is true.

auth_typeedit

There are two options to authenticate with Kerberos KDC: password and keytab.

password expects the principal name and its password. When choosing keytab, you have to specify a princial name and a path to a keytab. The keytab must contain the keys of the selected principal. Otherwise, authentication will fail.

config_pathedit

You need to set the path to the krb5.conf, so +apm-server can find the Kerberos KDC to retrieve a ticket.

usernameedit

Name of the principal used to connect to the output.

passwordedit

If you configured password for auth_type, you have to provide a password for the selected principal.

keytabedit

If you configured keytab for auth_type, you have to provide the path to the keytab of the selected principal.

service_nameedit

This option can only be configured for Kafka. It is the name of the Kafka service, usually kafka.

realmedit

Name of the realm where the output resides.