auth key

logclient/config/service.env

@@ -8,21 +8,8 @@ IMAGE_TAG="7.17.23"
 LOGSERVER_HOST=
 LOGSERVER_PORT=5044
 
-# REQUIRED: Authentication method
-AUTH_MODE=mtls  # mtls, apikey, or basic
-
-# mTLS Authentication (if AUTH_MODE=mtls)
-CLIENT_CERT_PATH=/certs/client.crt
-CLIENT_KEY_PATH=/certs/client.key
-CA_CERT_PATH=/certs/ca.crt
-SSL_VERIFICATION_MODE=full
-
-# API Key Authentication (if AUTH_MODE=apikey)
-API_KEY=""  # Will be provided by logserver admin
-
-# Basic Authentication (if AUTH_MODE=basic)
-USERNAME=filebeat
-PASSWORD=changeme
+# REQUIRED: API Key Authentication
+API_KEY=""  # Get from logserver admin using generate-api-key.sh
 
 # Performance tuning
 BULK_MAX_SIZE=2048          # Maximum batch size

logclient/install.sh

@@ -3,36 +3,20 @@ source "${AGENT_PATH}/common.sh"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 # Check required environment variables
-_check_required_env_vars "CONTAINER_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "IMAGE_TAG" "LOGSERVER_HOST" "LOGSERVER_PORT" "AUTH_MODE"
+_check_required_env_vars "CONTAINER_NAME" "IMAGE_REGISTRY" "IMAGE_REPO" "IMAGE_TAG" "LOGSERVER_HOST" "LOGSERVER_PORT" "API_KEY"
 
-# Validate authentication configuration
-case "$AUTH_MODE" in
-    mtls)
-        _check_required_env_vars "CLIENT_CERT_PATH" "CLIENT_KEY_PATH" "CA_CERT_PATH"
-        if [ ! -f "$CLIENT_CERT_PATH" ]; then
-            _die "Client certificate not found at $CLIENT_CERT_PATH"
-        fi
-        if [ ! -f "$CLIENT_KEY_PATH" ]; then
-            _die "Client key not found at $CLIENT_KEY_PATH"
-        fi
-        if [ ! -f "$CA_CERT_PATH" ]; then
-            _die "CA certificate not found at $CA_CERT_PATH"
-        fi
-        ;;
-    apikey)
-        _check_required_env_vars "API_KEY"
-        if [ -z "$API_KEY" ]; then
-            _die "API_KEY is empty. Please get an API key from the logserver administrator"
-        fi
-        ;;
-    basic)
-        _check_required_env_vars "USERNAME" "PASSWORD"
-        echo "WARNING: Basic authentication is not recommended for production"
-        ;;
-    *)
-        _die "Invalid AUTH_MODE: $AUTH_MODE. Must be one of: mtls, apikey, basic"
-        ;;
-esac
+# Validate API key
+if [ -z "$API_KEY" ]; then
+    echo ""
+    echo "ERROR: API_KEY is not configured"
+    echo ""
+    echo "To get an API key:"
+    echo "1. On the logserver, run: ./generate-api-key.sh"
+    echo "2. Enter this client's hostname when prompted"
+    echo "3. Copy the generated API_KEY to this client's service.env"
+    echo ""
+    _die "Missing API_KEY configuration"
+fi
 
 # Check Docker is available
 _check_docker_installed || _die "Docker test failed"
@@ -59,4 +43,4 @@ bash ./start.sh || _die "Failed to start Filebeat"
 
 echo "Installation of ${CONTAINER_NAME} complete"
 echo "Collecting logs from Docker API and shipping to ${LOGSERVER_HOST}:${LOGSERVER_PORT}"
-echo "Authentication mode: ${AUTH_MODE}"
+echo "Using API key authentication"

logclient/start.sh

@@ -14,7 +14,7 @@ cmd="docker run -d \
     -v ${CERTS_VOLUME}:/usr/share/filebeat/certs:ro \
     -e LOGSERVER_HOST=${LOGSERVER_HOST} \
     -e LOGSERVER_PORT=${LOGSERVER_PORT} \
-    -e AUTH_MODE=${AUTH_MODE} \
+    -e API_KEY=${API_KEY} \
     $IMAGE_REGISTRY/$IMAGE_REPO:$IMAGE_TAG \
     filebeat -e -strict.perms=false \
     -c /usr/share/filebeat/config/filebeat.yml"

logserver/SETUP.md

@@ -0,0 +1,100 @@
+# LogServer Quick Setup Guide
+
+## Prerequisites
+- Docker and Docker Compose installed
+- 4GB+ RAM, 10GB+ disk space
+- Port 5601 (Kibana) and 5044 (Logstash) available
+
+## Initial Setup
+
+### 1. System Configuration
+```bash
+# Required for Elasticsearch
+sudo sysctl -w vm.max_map_count=262144
+echo "vm.max_map_count=262144" | sudo tee -a /etc/sysctl.conf
+```
+
+### 2. Configure Server
+Edit `config/service.env`:
+```bash
+# Change default password
+KIBANA_PASSWORD=your-secure-password
+```
+
+### 3. Install
+```bash
+dropshell install logserver
+```
+
+## Generate Client API Keys
+
+Run the interactive key generator:
+```bash
+./generate-api-key.sh
+```
+
+Follow the prompts:
+1. Enter hostname for each client
+2. Script generates secure API key
+3. Shows configuration to copy to client
+4. Repeat for additional clients
+
+## Access Kibana
+
+1. Open browser: `http://your-server-ip:5601`
+2. Login: `elastic` / `your-secure-password`
+3. Create index pattern: `filebeat-*`
+4. View logs in Discover tab
+
+## Add Log Clients
+
+On each client machine:
+```bash
+# Get API key from server admin (they run ./generate-api-key.sh)
+
+# Edit logclient/config/service.env:
+LOGSERVER_HOST=your-server-ip
+LOGSERVER_PORT=5044
+API_KEY=your-api-key-here
+
+# Install and start
+dropshell install logclient
+```
+
+## Verify Setup
+
+```bash
+# Check server status
+dropshell status logserver
+
+# View server logs
+dropshell logs logserver
+
+# Test client connection (from client)
+docker logs logclient-filebeat | grep "connection"
+```
+
+## Troubleshooting
+
+**Elasticsearch won't start**: Check `vm.max_map_count` is 262144+
+
+**No logs in Kibana**:
+- Verify client can reach server port 5044
+- Check API key is correct in client's service.env
+- Verify API key exists in server's api-keys.yml
+- Refresh index pattern in Kibana
+
+**High memory usage**: Adjust heap sizes in `service.env`:
+```bash
+ES_HEAP_SIZE=1g  # Reduce from 2g
+LS_HEAP_SIZE=512m  # Reduce from 1g
+```
+
+## Security Checklist
+
+- [ ] Changed default Kibana password
+- [ ] Generated unique API key per client
+- [ ] API keys stored securely
+- [ ] Firewall allows only necessary ports (5601, 5044)
+- [ ] Regular backup configured
+- [ ] Reviewed api-keys.yml for old/unused keys

logserver/config/service.env

@@ -25,18 +25,9 @@ LOGSTASH_SYSLOG_PORT=514
 LOG_RETENTION_DAYS=30
 LOG_MAX_SIZE_GB=50
 
-# Authentication Mode
-AUTH_MODE=mtls  # Options: mtls, apikey, basic
+# Authentication
 ENABLE_TLS=true
-
-# mTLS Settings (if AUTH_MODE=mtls)
-CA_CERT_PATH=/certs/ca.crt
-SERVER_CERT_PATH=/certs/server.crt
-SERVER_KEY_PATH=/certs/server.key
-CLIENT_CERT_REQUIRED=true
-
-# API Key Settings (if AUTH_MODE=apikey)
-API_KEYS_PATH=/config/api-keys.yml
+API_KEYS_FILE=${CONFIG_PATH}/api-keys.yml
 
 # Network Security
 ALLOWED_IPS=""  # Comma-separated list, empty = all

logserver/generate-api-key.sh

@@ -0,0 +1,115 @@
+#!/bin/bash
+
+# Interactive API Key Generation Script for LogServer
+# This script generates secure API keys and adds them to api-keys.yml
+
+API_KEYS_FILE="${CONFIG_PATH:-./config}/api-keys.yml"
+
+# Colors for output
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m' # No Color
+
+# Generate a secure random API key
+generate_key() {
+    openssl rand -hex 32 2>/dev/null || cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 64 | head -n 1
+}
+
+# Initialize api-keys.yml if it doesn't exist
+init_api_keys_file() {
+    if [ ! -f "$API_KEYS_FILE" ]; then
+        echo "# API Keys for LogServer Authentication" > "$API_KEYS_FILE"
+        echo "# Format: hostname:api_key" >> "$API_KEYS_FILE"
+        echo "# Generated by generate-api-key.sh" >> "$API_KEYS_FILE"
+        echo "" >> "$API_KEYS_FILE"
+        echo "api_keys:" >> "$API_KEYS_FILE"
+        echo -e "${GREEN}Created new api-keys.yml file${NC}"
+    fi
+}
+
+# Check if hostname already has a key
+check_existing_key() {
+    local hostname=$1
+    if grep -q "^  ${hostname}:" "$API_KEYS_FILE" 2>/dev/null; then
+        return 0
+    fi
+    return 1
+}
+
+# Add key to api-keys.yml
+add_key_to_file() {
+    local hostname=$1
+    local api_key=$2
+    echo "  ${hostname}: ${api_key}" >> "$API_KEYS_FILE"
+}
+
+# Main script
+echo -e "${GREEN}=== LogServer API Key Generator ===${NC}"
+echo ""
+
+# Initialize file if needed
+init_api_keys_file
+
+# Interactive mode
+while true; do
+    echo -e "${YELLOW}Enter hostname for the client (or 'done' to finish):${NC}"
+    read -p "> " hostname
+
+    if [ "$hostname" = "done" ] || [ -z "$hostname" ]; then
+        break
+    fi
+
+    # Validate hostname
+    if [[ ! "$hostname" =~ ^[a-zA-Z0-9][a-zA-Z0-9-_.]*$ ]]; then
+        echo -e "${RED}Invalid hostname format. Use only letters, numbers, dots, dashes, and underscores.${NC}"
+        continue
+    fi
+
+    # Check if key already exists
+    if check_existing_key "$hostname"; then
+        echo -e "${YELLOW}Key already exists for ${hostname}${NC}"
+        read -p "Generate new key? (y/n): " overwrite
+        if [ "$overwrite" != "y" ]; then
+            continue
+        fi
+        # Remove old key
+        sed -i "/^  ${hostname}:/d" "$API_KEYS_FILE"
+    fi
+
+    # Generate new key
+    api_key=$(generate_key)
+
+    # Add to file
+    add_key_to_file "$hostname" "$api_key"
+
+    echo -e "${GREEN}✓ Generated API key for ${hostname}${NC}"
+    echo ""
+    echo "Configuration for ${hostname}:"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "Add to client's service.env:"
+    echo ""
+    echo "LOGSERVER_HOST=$(hostname -I | awk '{print $1}')"
+    echo "LOGSERVER_PORT=5044"
+    echo "API_KEY=${api_key}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo ""
+
+    # Option to add more
+    read -p "Add another client? (y/n): " add_more
+    if [ "$add_more" != "y" ]; then
+        break
+    fi
+done
+
+# Show summary
+echo ""
+echo -e "${GREEN}=== Summary ===${NC}"
+echo "API keys file: $API_KEYS_FILE"
+echo "Total clients configured: $(grep -c "^  " "$API_KEYS_FILE" 2>/dev/null || echo 0)"
+echo ""
+echo "To view all keys: cat $API_KEYS_FILE"
+echo "To revoke a key: Edit $API_KEYS_FILE and remove the line"
+echo ""
+echo -e "${YELLOW}Remember to restart logserver after adding keys:${NC}"
+echo "  dropshell restart logserver"

logserver/install.sh

@@ -31,10 +31,12 @@ docker pull docker.elastic.co/elasticsearch/elasticsearch:${ES_VERSION} || _die
 docker pull docker.elastic.co/logstash/logstash:${LS_VERSION} || _die "Failed to pull Logstash"
 docker pull docker.elastic.co/kibana/kibana:${KIBANA_VERSION} || _die "Failed to pull Kibana"
 
-# Generate certificates if using mTLS
-if [ "$AUTH_MODE" = "mtls" ]; then
-    bash ./scripts/generate-ca.sh || _die "Failed to generate CA certificate"
-    bash ./scripts/generate-server-cert.sh || _die "Failed to generate server certificate"
+# Initialize API keys file if it doesn't exist
+if [ ! -f "${CONFIG_PATH}/api-keys.yml" ]; then
+    echo "No API keys configured yet."
+    echo "Run ./generate-api-key.sh to add client keys"
+    mkdir -p "${CONFIG_PATH}"
+    echo "api_keys:" > "${CONFIG_PATH}/api-keys.yml"
 fi
 
 # Start the ELK stack
@@ -55,8 +57,6 @@ echo "Username: elastic"
 echo "Password: ${KIBANA_PASSWORD}"
 echo ""
 echo "Logstash listening on port ${LOGSTASH_BEATS_PORT} for Filebeat clients"
-if [ "$AUTH_MODE" = "mtls" ]; then
-    echo "Authentication: mTLS (generate client certs with ./scripts/generate-client-cert.sh)"
-elif [ "$AUTH_MODE" = "apikey" ]; then
-    echo "Authentication: API Keys (generate with ./scripts/generate-api-key.sh)"
-fi
+echo ""
+echo "To add client authentication:"
+echo "  ./generate-api-key.sh"