ELK日志分析平台(五)----启用xpack安全验证

1. 启用xpack安全验证

1.1 设置使用logstach

[root@server4 filebeat]# vim filebeat.yml 
[root@server4 filebeat]# systemctl restart filebeat.service    ##重启filebeat服务

1.2 启动xpack安全验证

- 1. 集群模式需要先创建证书：
	# cd /usr/share/elasticsearch/
	# bin/elasticsearch-certutil ca
	# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
	# cp elastic-certificates.p12 elastic-stack-ca.p12 /etc/elasticsearch
	# cd /etc/elasticsearch
	# chown elasticsearch elastic-certificates.p12 elastic-stack-ca.p12

- 配置所有的elasticsearch集群节点：
	# vim /etc/elasticsearch/elasticsearch.yml
		xpack.security.enabled: true
		xpack.security.transport.ssl.enabled: true
		xpack.security.transport.ssl.verification_mode: certificate
		xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
		xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

- ES集群重启正常后，设置用户密码
- 	[root@server2 ~]# /usr/share/elasticsearch/bin/elasticsearch-setup-passwords interactive  ##交互式设置命令
- 


- 2.设置kibana连接ES的用户密码：
	# vim /etc/kibana/kibana.yml
		elasticsearch.username: "kibana"
		elasticsearch.password: "westos"

- 3. 设置Logstash连接ES用户密码:
		output {
		        elasticsearch {
		                hosts => "172.25.0.13:9200"
		                index => "apachelog-%{+YYYY.MM.dd}"
				 user => "elastic"
				 password => "westos"
		        }
		}

- 4. head访问：
	http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type	//添加参数到es配置
	http://172.25.0.13:9100/?auth_user=elastic&auth_password=westos

1.2.1 ES集群进行安全认证

#1. 创建证书
[root@server2 ~]# cd /usr/share/elasticsearch/
[root@server2 elasticsearch]# bin/elasticsearch-certutil ca
[root@server2 elasticsearch]# bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12
[root@server2 elasticsearch]# cp elastic-certificates.p12 elastic-stack-ca.p12 /etc/elasticsearch
[root@server2 elasticsearch]# cd /etc/elasticsearch/
[root@server2 elasticsearch]# chown elasticsearch elastic-certificates.p12 elastic-stack-ca.p12

1.2.2 配置所有的elasticsearch集群节点

##将证书发送到每个节点，并且设置好相应的权限。所有节点操作都一样，完了配置下面文件.文件都发给其他节点
[root@server2 elasticsearch]# vim /etc/elasticsearch/elasticsearch.yml
xpack.security.enabled: true
xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate
xpack.security.transport.ssl.keystore.path: /etc/elasticsearch/elastic-certificates.p12
xpack.security.transport.ssl.truststore.path: /etc/elasticsearch/elastic-certificates.p12

1.3 head访问

[root@server2 elasticsearch]# vim elasticsearch.yml  ##每一个节点都加
http.cors.allow-headers: Authorization,X-Requested-With,Content-Length,Content-Type
[root@server2 elasticsearch]# systemctl restart elasticsearch.service  ##每个节点重启服务

1.4 创建用户和密码

[root@server2 elasticsearch]# cd /usr/share/elasticsearch/
[root@server2 elasticsearch]# cd bin/
[root@server2 bin]# ./elasticsearch-setup-passwords interactive

1.5 网页访问

http://172.25.13.2:9100/?auth_user=elastic&auth_password=westos

1.6 运行logstash

[root@server6 conf.d]# cat apache.conf
input {
    
    
        file {
    
    
 	path => "/var/log/httpd/access_log"
	start_position => "beginning"
        }
      }

filter {
    
    
      grok {
    
    
        match => {
    
     "message" => "%{HTTPD_COMBINEDLOG}" }
      }
}

output {
    
    
	stdout {
    
    }
	elasticsearch {
    
    
	hosts => ["172.25.13.2:9200"]
	index => "apache-%{+yyyy.MM.dd}"
	user => "elastic"   ##需要设置密码
	password => "westos"
	}
}

1.7 配置kibana

#设置kibana连接ES的用户密码：
# vim /etc/kibana/kibana.yml
elasticsearch.username: "kibana"
elasticsearch.password: "westos"