--- title: Secure communication with Elasticsearch description: When sending data to a secured cluster through the elasticsearch output, Heartbeat can use any of the following authentication methods: Basic authentication... url: https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/heartbeat/securing-communication-elasticsearch products: - Beats - Heartbeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Secure communication with Elasticsearch When sending data to a secured cluster through the `elasticsearch` output, Heartbeat can use any of the following authentication methods: - Basic authentication credentials (username and password). - Token-based API authentication. - A client certificate. Authentication is specified in the Heartbeat configuration file: - To use **basic authentication**, specify the `username` and `password` settings under `output.elasticsearch`. For example: ```yaml output.elasticsearch: hosts: ["https://myEShost:9200"] username: "heartbeat_writer" password: "YOUR_PASSWORD" ``` - To use token-based **API key authentication**, specify the `api_key` under `output.elasticsearch`. For example: ```yaml output.elasticsearch: hosts: ["https://myEShost:9200"] api_key: "ZCV7VnwBgnX0T19fN8Qe:KnR6yE41RrSowb0kQ0HWoA" ``` - To use **Public Key Infrastructure (PKI) certificates** to authenticate users, specify the `certificate` and `key` settings under `output.elasticsearch`. For example: ```yaml output.elasticsearch: hosts: ["https://myEShost:9200"] ssl.certificate: "/etc/pki/client/cert.pem" ssl.key: "/etc/pki/client/cert.key" ``` These settings assume that the distinguished name (DN) in the certificate is mapped to the appropriate roles in the `role_mapping.yml` file on each node in the Elasticsearch cluster. For more information, see [Using role mapping files](https://docs-v3-preview.elastic.dev/elastic/docs-builder/docs/3016/deploy-manage/users-roles/cluster-or-deployment-auth/mapping-users-groups-to-roles#mapping-roles-file). By default, Heartbeat uses the list of trusted certificate authorities (CA) from the operating system where Heartbeat is running. If the certificate authority that signed your node certificates is not in the host system’s trusted certificate authorities list, you need to add the path to the `.pem` file that contains your CA’s certificate to the Heartbeat configuration. This will configure Heartbeat to use a specific list of CA certificates instead of the default list from the OS. Here is an example configuration: ```yaml output.elasticsearch: hosts: ["https://myEShost:9200"] ssl.certificate_authorities: - /etc/pki/my_root_ca.pem - /etc/pki/my_other_ca.pem ssl.certificate: "/etc/pki/client.pem" ssl.key: "/etc/pki/key.pem" ``` For any given connection, the SSL/TLS certificates must have a subject that matches the value specified for `hosts`, or the SSL handshake fails. For example, if you specify `hosts: ["foobar:9200"]`, the certificate MUST include `foobar` in the subject (`CN=foobar`) or as a subject alternative name (SAN). Make sure the hostname resolves to the correct IP address. If no DNS is available, then you can associate the IP address with your hostname in `/etc/hosts` (on Unix) or `C:\Windows\System32\drivers\etc\hosts` (on Windows). ## Learn more about secure communication More information on sending data to a secured cluster is available in the configuration reference: - [Elasticsearch](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/heartbeat/elasticsearch-output) - [SSL](https://www.elastic.co/elastic/docs-builder/docs/3016/reference/beats/heartbeat/configuration-ssl)