diff --git a/admin-guide/configuration/central_logging_elastic.md b/admin-guide/configuration/central_logging_elastic.md
index 75f05dc3..108b2d1d 100644
--- a/admin-guide/configuration/central_logging_elastic.md
+++ b/admin-guide/configuration/central_logging_elastic.md
@@ -5,21 +5,34 @@ To ship the logs of a system to the central logging service (Elastic) following
 1. Have a space in Elastic to ship the logs to
 2. Have a space API key
 
-Both prerequisites you can check with / talk to Michel Rebmann (michel.rebmann@psi.ch) / Group 9522
+Both prerequisites you can check with / talk to Michel Rebmann (michel.rebmann@psi.ch) / Group 9522, which will provide a configuration similar to the following:
 
+```
+{
+  "id" : "${space_id}",
+  "name" : "input_${space_name}",
+  "api_key" : "${space_api_key}",
+  "encoded" : "${space_encoded_key}"
+}
+```
 
 Afterwards the log shipping can be configures as follows in hiera:
 
 ```
 base::enable_elastic: true
-elastic::space: 'lx'
-elastic::space_api_key: 'yoursuperstrangeapikey'
+elastic::space: "${space_name}"
+elastic::space_api_key: "${space_id}:${space_api_key}"  # The resulting string should be encrypted
 ```
 
 ```{note}
 Replace the space name as well as the space_api_key according to your setup.
 ```
 
+Notice that `space` contains the `name` without the `input_` prefix, while `space_api_key` contains a `:`-separated value: 
+* the first part corresponds to the `id` of the space,
+* the second part corresponds to the `api_key`.
+* The resulting string `"${space_id}:${space_api_key}"` **should be encrypted** with [eyaml](https://linux.psi.ch/admin-guide/puppet/hiera.html?highlight=eyaml#encrypting-data-with-the-public-key)
+
 By default __all__ journald logs are shipped to the central Elastic instance. If you want to __limit__ the logs to specific units, the units can be specified as follows:
 
 ```